Primary

Context

Q-Free MaxTime Missing Authentication Vulnerability Allowing Unauthenticated Factory Reset

Vulnerability

A vulnerability allowing unauthenticated remote attackers to factory reset devices running Q-Free MaxTime versions through 2.11.0 has been identified. This vulnerability, categorized as CWE-306 'Missing Authentication for Critical Function', resides in the file maxprofile/setup/routes.lua. Exploitation of this vulnerability erases all device configurations, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability allows for an unauthenticated remote factory reset of the device, erasing all configurations and causing a denial-of-service condition.

Remediation

Until an official patch is released, it is recommended to restrict and monitor network access to the management web application on devices running Q-Free MaxTime versions through 2.11.0.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Q-Free MaxTime Missing Authentication Vulnerability Allowing Unauthenticated Factory Reset

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating