CVE-2025-26350
Published: 12 February 2025
Description
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.
Security Summary
CVE-2025-26350, published on 2025-02-12, is a CWE-434 unrestricted upload of file with dangerous type vulnerability in the template file uploads component of Q-Free MaxTime versions less than or equal to 2.11.0. It enables an authenticated remote attacker to upload malicious files through crafted HTTP requests. The vulnerability has a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), indicating medium severity with high integrity impact but no effects on confidentiality or availability.
An attacker requires high privileges (PR:H) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows uploading arbitrary malicious files, potentially leading to integrity violations such as executing unauthorized code or altering system templates within the affected MaxTime instance.
Mitigation details are available in the advisory published by Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26350.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unrestricted upload of dangerous files to template uploads enables exploitation of public-facing web applications (T1190), web shell deployment (T1100), template injection via malicious templates (T1221), and malware staging through file uploads (T1608.001), potentially leading to arbitrary file overwrites and system compromise.