CVE-2025-15559

Critical CVSS: 9.8

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.

Vendor

Nestersoft

Product

Worktime

CWE

CWE-78

Yayın Tarihi

2026-02-19 11:15:55

Güncelleme

2026-03-03 16:39:28

Source Identifier

551230f0-3615-47bd-b7cc-93e92e730bbf

KEV Date Added

Kategoriler

CWE-78 Worktime CRITICAL Nestersoft 2026

Referanslar

https://r.sec-consult.com/worktime

Benzer Kayıtlar

High

CVE-2025-15560

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpo…

High

CVE-2025-15561

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system…

Medium

CVE-2025-15562

The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper enco…

Medium

CVE-2025-15563

Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the…