Question 1

What is this vulnerability? (Essence + Consequences)

Accepted Answer

🚨 **Essence**: Critical Access Control Error in Q-Free MAXTIME Suite.…

Question 2

Root Cause? (CWE/Flaw)

Accepted Answer

🛡️ **Root Cause**: **CWE-306** (Missing Authentication for Critical Function).…

Question 3

Who is affected? (Versions/Components)

Accepted Answer

🏢 **Affected Vendor**: Q-Free.
📦 **Product**: MAXTIME Suite (Local Traffic Signal Management).
📅 **Versions**: **2.11.0 and earlier** versions are vulnerable.

Question 4

What can hackers do? (Privileges/Data)

Accepted Answer

💻 **Attacker Actions**:
1. Edit **User Permissions** directly.
2. Escalate privileges to admin levels.
3. Modify traffic signal logic/routes.
4.…

Question 5

Is exploitation threshold high? (Auth/Config)

Accepted Answer

⚡ **Exploitation Threshold**: **LOW**.
🔓 **Auth**: None required (**PR:N** - Privileges Required: None).
🌐 **Network**: Remote (**AV:N**).
👤 **User Interaction**: None (**UI:N**).…

Question 6

Is there a public Exp? (PoC/Wild Exploitation)

Accepted Answer

📜 **Public Exploit**: **No**.
🚫 **PoC**: The `pocs` field is empty in the provided data.…

Question 7

How to self-check? (Features/Scanning)

Accepted Answer

🔍 **Self-Check Method**:
1. Scan for **Q-Free MAXTIME Suite** services.
2. Verify version is **≤ 2.11.0**.
3. Test access to `maxprofile/menu/routes.lua` endpoints without credentials.
4.…

Question 8

Is it fixed officially? (Patch/Mitigation)

Accepted Answer

🩹 **Official Fix**: **Yes**.
📢 **Action**: Upgrade to a version **newer than 2.11.0**.
🔗 **Reference**: Nozomi Networks Advisory provides details on the vulnerability and remediation steps.

Question 9

What if no patch? (Workaround)

Accepted Answer

🛑 **No Patch Workaround**:
1. **Network Segmentation**: Isolate the traffic management system from untrusted networks.
2. **WAF Rules**: Block direct access to `.lua` script endpoints.
3.…

Question 10

Is it urgent? (Priority Suggestion)

Accepted Answer

🔥 **Urgency**: **CRITICAL (Priority 1)**.
🚨 **Reason**: CVSS **9.8** (Critical). Remote, unauthenticated, low complexity.…

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-26347 — AI Deep Analysis Summary

Q1What is this vulnerability? (Essence + Consequences)

Q2Root Cause? (CWE/Flaw)

Q3Who is affected? (Versions/Components)

Q4What can hackers do? (Privileges/Data)

Q5Is exploitation threshold high? (Auth/Config)

Q6Is there a public Exp? (PoC/Wild Exploitation)

Q7How to self-check? (Features/Scanning)

Q8Is it fixed officially? (Patch/Mitigation)

Q9What if no patch? (Workaround)

Q10Is it urgent? (Priority Suggestion)

Continue exploring