A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.
The vulnerability results from the manufacturer's use of a static, hardcoded password for the root account in Q-Free MaxTime software. Since the password is identical across all product installations and cannot be changed by the user, an attacker with knowledge of this password can authenticate to the SSH service without any additional privileges. After logging in, the attacker gains full control of the system with the highest privileges.
Attackers gain unlimited access to the system with root privileges, enabling arbitrary code execution, data modification or deletion, malware installation, and complete device takeover.
Apply patches available from the manufacturer according to references. Additionally, it is recommended to restrict SSH port access only to trusted IP addresses at the firewall level and monitor SSH login attempts until the patch is deployed.
Q-Free MaxTime version 2.11.0 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HQ Free Maxtime
APPQ-Free≤ 2.11.0
Related vulnerabilities
Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła
Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime
Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)
Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)
Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników