Skip to main content

Worksnaps Client CVE-2025-10560

| EUVDEUVD-2025-210275 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-06-18 SEC-VLab GHSA-5r6x-5pmx-96h2
9.3
CVSS 4.0 · Vendor: SEC-VLab
Share

Severity by source

Vendor (SEC-VLab) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
10.0 CRITICAL

Hardcoded AWS root keys in shipped binary; any attacker can extract and remotely access Worksnaps' AWS account, fully compromising a separate cloud authority (S:C), all impacts High.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Primary rating from Vendor (SEC-VLab).

CVSS VectorVendor: SEC-VLab

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 09:46 vuln.today

DescriptionCVE.org

Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials authenticated as the AWS account root identity and provided access to Worksnaps production cloud resources, including S3 buckets containing sensitive data such as screenshots of user desktops. An attacker with access to the affected client binaries could extract or recover the credentials and use them to access affected Worksnaps cloud resources.

AnalysisAI

Credential exposure in Worksnaps client application before version 1.6.20260201 allows attackers who obtain the binaries to extract hardcoded AWS root credentials and S3 bucket identifiers, granting access to production cloud resources containing sensitive user desktop screenshots. The flaw was disclosed by SEC-VLab (SEC Consult) and a vendor-patched build is available; no public exploit identified at time of analysis, though credential extraction from distributed binaries is trivial once the artifact is obtained.

Technical ContextAI

Worksnaps is an employee time-tracking and productivity monitoring product by Silver Leaf Technologies (CPE: cpe:2.3:a:silver_leaf_technologies,_inc.:worksnaps.net_worksnaps) whose desktop client periodically uploads screenshots and activity data to AWS-hosted backend storage. The root cause is CWE-798 (Use of Hard-coded Credentials): AWS access keys, S3 bucket names, and related cloud access material were embedded directly in the shipped client binaries instead of being brokered through a per-user authenticated session or short-lived STS tokens. Critically, the embedded credentials authenticated as the AWS account root identity, which in AWS IAM has unrestricted, non-revocable-by-policy access to every resource in the account - the worst-case key type to leak.

RemediationAI

Apply the vendor-released patch by upgrading the Worksnaps client to version 1.6.20260201 or later, obtainable from https://www.worksnaps.net/www/download.shtml, and confirm with Worksnaps that the previously embedded AWS root credentials have been deactivated and all access keys rotated server-side - without rotation a patched client does not eliminate exposure of keys already extracted from older binaries. As compensating controls until upgrade, organizations should remove older Worksnaps client binaries from endpoints and software repositories to deny attackers an extraction source (side effect: time-tracking briefly unavailable), block outbound traffic from older clients to the Worksnaps S3 endpoints at the perimeter, and request from Worksnaps written confirmation that S3 bucket policies and root-key usage have been hardened. Refer to the SEC Consult advisory at https://r.sec-consult.com/worksnaps for further detail.

Share

CVE-2025-10560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy