Worktime
CVE-2025-15561
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.
AnalysisAI
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". [CVSS 7.8 HIGH]
Technical ContextAI
Classified as CWE-269 (Improper Privilege Management). Affects Worktime. An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.
RemediationAI
Monitor vendor advisories for a patch.
Unauthenticated OS command injection in NesterSoft WorkTime via report generation API. Allows executing arbitrary comman
An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpo
The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper enco
Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today