DeskTime Time Tracking App EUVD-2025-209580

| CVE-2025-10539 MEDIUM
Improper Certificate Validation (CWE-295)
2026-04-28 551230f0-3615-47bd-b7cc-93e92e730bbf
RCE
4.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 28, 2026 - 15:24 vuln.today
CVSS changed
Apr 28, 2026 - 15:22 NVD
4.8 (MEDIUM)
Patch available
Apr 28, 2026 - 10:01 EUVD

DescriptionNVD

Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.

AnalysisAI

Remote code execution in DeskTime Time Tracking App before version 1.3.674 via improper TLS certificate validation allows network-positioned attackers to serve malicious executables during application updates without requiring user interaction. The vulnerability exploits the update mechanism's failure to properly validate TLS certificates, enabling an attacker in a man-in-the-middle position to achieve user-level code execution. EPSS score of 0.02% suggests low real-world exploitation probability despite RCE severity, likely due to the requirement for network positioning and the attack's reliance on coinciding update requests.

Technical ContextAI

The vulnerability stems from CWE-295 (Improper Certificate Validation), where the DeskTime application fails to properly validate TLS certificates during communication with its update servers. When the application checks for or downloads updates over HTTPS, an attacker positioned in the network path (capable of intercepting traffic via ARP spoofing, DNS hijacking, BGP hijacking, or operating a rogue access point) can present a self-signed or attacker-controlled certificate that the vulnerable client accepts without proper validation. The application then executes the attacker-supplied executable, believing it to be a legitimate update. This is a common failure pattern in software update mechanisms where certificate pinning or robust hostname/chain validation is absent.

RemediationAI

Users must upgrade to DeskTime Time Tracking App version 1.3.674 or later, which includes the fix for TLS certificate validation. Vendor patch is confirmed as available. Download the patched version from https://desktime.com/download. For organizations unable to immediately patch, implement network-level mitigations: enforce DNS security (DNSSEC), deploy HTTPS inspection at the gateway with proper certificate validation, and restrict client network access to corporate networks with monitored internet egress. Alternatively, temporarily disable automatic updates and manually verify update sources through out-of-band channels until patching is feasible. Note that network-level mitigations do not eliminate the vulnerability in the application itself and are temporary measures only.

Share

EUVD-2025-209580 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy