CVE-2025-26345 — AI Deep Analysis Summary

🚨 **Essence**: Critical Access Control Error in Q-Free MAXTIME Suite. <br>💥 **Consequences**: Attackers can manipulate user group permissions via crafted HTTP requests.…

🛡️ **Root Cause**: **CWE-306** (Missing Authentication for Critical Function).…

🏢 **Vendor**: Q-Free. <br>📦 **Product**: MAXTIME Suite (Local traffic signal management). <br>📅 **Affected Versions**: **2.11.0 and earlier** versions.

🕵️ **Attacker Actions**: Edit **user group permissions**. <br>🔓 **Privileges**: Gains ability to modify critical system configurations without authentication.…

⚡ **Threshold**: **LOW**. <br>🔑 **Auth**: **None required** (PR:N). <br>🌐 **Network**: Remote (AV:N). <br>🎯 **Complexity**: Low (AC:L). Easy to exploit remotely.

📜 **Public Exp?**: **No PoC provided** in the current data. <br>⚠️ **Risk**: Despite no public code, the low CVSS complexity suggests wild exploitation is likely imminent given the critical nature.

🔍 **Self-Check**: Scan for Q-Free MAXTIME Suite instances. <br>📡 **Feature**: Look for exposed `maxprofile/menu/routes.lua` endpoints.…

🩹 **Fix Status**: **Patch available** implied by CVE publication. <br>🔄 **Action**: Upgrade to a version **newer than 2.11.0**. <br>📝 **Reference**: Check Nozomi Networks advisory for specific patch details.

🚧 **No Patch?**: Implement **Network Segmentation**. <br>🛑 **Mitigation**: Block external access to the MAXTIME Suite management interface.…

🔥 **Urgency**: **CRITICAL**. <br>📈 **Priority**: **P0**. <br>⏱️ **Reason**: CVSS Score is **9.8** (Critical). Remote, unauthenticated, high impact. Immediate patching or isolation is required.