CVE-2025-26356
Published: 12 February 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-26356 is a path traversal vulnerability classified under CWE-35, present in the setActive endpoint of the maxtime/api/database/database.lua component in Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, this flaw enables an authenticated remote attacker to overwrite sensitive files by sending crafted HTTP requests, potentially leading to unauthorized modifications within the application's file system.
The vulnerability can be exploited by a remote attacker who possesses high privileges (PR:H), requiring network access (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation remains confined to the affected component (S:U) but yields high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 7.2. Successful attacks could allow the overwriting of critical files, compromising system integrity and potentially enabling further malicious actions.
Mitigation guidance and additional details are available in the vulnerability advisory from Nozomi Networks at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26356.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal enables arbitrary overwrite of sensitive files, facilitating exploitation for privilege escalation (T1068), data destruction through overwriting/corruption (T1485), and stored data manipulation (T1565.001).