Worktime
CVE-2025-15559
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.
AnalysisAI
Unauthenticated OS command injection in NesterSoft WorkTime via report generation API. Allows executing arbitrary commands.
Technical ContextAI
CWE-78 in report download API.
RemediationAI
Apply vendor patch.
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpo
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system
The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper enco
Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today