Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Hardcoded AWS root keys in shipped binary; any attacker can extract and remotely access Worksnaps' AWS account, fully compromising a separate cloud authority (S:C), all impacts High.
Primary rating from Vendor (SEC-VLab).
CVSS VectorVendor: SEC-VLab
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials authenticated as the AWS account root identity and provided access to Worksnaps production cloud resources, including S3 buckets containing sensitive data such as screenshots of user desktops. An attacker with access to the affected client binaries could extract or recover the credentials and use them to access affected Worksnaps cloud resources.
AnalysisAI
Credential exposure in Worksnaps client application before version 1.6.20260201 allows attackers who obtain the binaries to extract hardcoded AWS root credentials and S3 bucket identifiers, granting access to production cloud resources containing sensitive user desktop screenshots. The flaw was disclosed by SEC-VLab (SEC Consult) and a vendor-patched build is available; no public exploit identified at time of analysis, though credential extraction from distributed binaries is trivial once the artifact is obtained.
Technical ContextAI
Worksnaps is an employee time-tracking and productivity monitoring product by Silver Leaf Technologies (CPE: cpe:2.3:a:silver_leaf_technologies,_inc.:worksnaps.net_worksnaps) whose desktop client periodically uploads screenshots and activity data to AWS-hosted backend storage. The root cause is CWE-798 (Use of Hard-coded Credentials): AWS access keys, S3 bucket names, and related cloud access material were embedded directly in the shipped client binaries instead of being brokered through a per-user authenticated session or short-lived STS tokens. Critically, the embedded credentials authenticated as the AWS account root identity, which in AWS IAM has unrestricted, non-revocable-by-policy access to every resource in the account - the worst-case key type to leak.
RemediationAI
Apply the vendor-released patch by upgrading the Worksnaps client to version 1.6.20260201 or later, obtainable from https://www.worksnaps.net/www/download.shtml, and confirm with Worksnaps that the previously embedded AWS root credentials have been deactivated and all access keys rotated server-side - without rotation a patched client does not eliminate exposure of keys already extracted from older binaries. As compensating controls until upgrade, organizations should remove older Worksnaps client binaries from endpoints and software repositories to deny attackers an extraction source (side effect: time-tracking briefly unavailable), block outbound traffic from older clients to the Worksnaps S3 endpoints at the perimeter, and request from Worksnaps written confirmation that S3 bucket policies and root-key usage have been hardened. Refer to the SEC Consult advisory at https://r.sec-consult.com/worksnaps for further detail.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210275
GHSA-5r6x-5pmx-96h2