CVE-2025-26361 — AI Deep Analysis Summary

🚨 **Essence**: Critical Access Control Error in Q-Free MAXTIME Suite. <br>💥 **Consequences**: Attackers can trigger a **factory reset** via crafted HTTP requests, causing total service disruption and data loss.

🛡️ **Root Cause**: **CWE-306** (Missing Authentication for Critical Function). <br>🔍 **Flaw**: The `maxprofile/setup/routes.lua` script lacks identity verification, allowing unauthorized execution.

🏢 **Vendor**: Q-Free. <br>📦 **Product**: MaxTime (Local Traffic Signal Management). <br>📅 **Affected**: Versions **2.11.0 and earlier**.

🕵️ **Attacker Action**: Send specific HTTP requests to execute the reset function. <br>📉 **Impact**: **High Integrity (I:H)** & **High Availability (A:H)** impact.…

⚡ **Threshold**: **LOW**. <br>🔓 **Auth**: **None required** (PR:N). <br>🌐 **Access**: Network accessible (AV:N). <br>👤 **User Interaction**: None needed (UI:N). Easy to exploit remotely.

📜 **Public Exploit**: **No PoC provided** in the data. <br>🌍 **Wild Exploitation**: Unknown status. However, the low barrier to entry makes it highly likely to be weaponized soon.

🔍 **Self-Check**: Scan for Q-Free MAXTIME Suite services. <br>🧪 **Test**: Attempt to access `maxprofile/setup/routes.lua` endpoints. If no auth is prompted and the endpoint is reachable, you are vulnerable.

🩹 **Official Fix**: **Yes**. The advisory implies a fix exists for versions newer than 2.11.0. <br>✅ **Action**: Upgrade to the latest patched version immediately.

🚧 **No Patch Workaround**: <br>1. **Network Segmentation**: Block external access to the management interface. <br>2. **WAF Rules**: Filter HTTP requests targeting `routes.lua`. <br>3.…

🔥 **Urgency**: **CRITICAL**. <br>⏱️ **Priority**: **P1**. <br>💡 **Reason**: Remote, unauthenticated, high impact (DoS/Data Loss). Immediate patching or mitigation is required to protect traffic infrastructure.