4.8
CVE-2025-10539
- EPSS 0.18%
- Veröffentlicht 28.04.2026 07:52:23
- Zuletzt bearbeitet 18.05.2026 18:21:51
- Quelle 551230f0-3615-47bd-b7cc-93e92e
- CVE-Watchlists
- Unerledigt
LoginImproper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App
Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Draugiemgroup ≫ Desktime Time Tracking Version < 1.3.674
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.076 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 4.8 | 2.2 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
|
CWE-295 Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
CWE-296 Improper Following of a Certificate's Chain of Trust
The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
CWE-494 Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
https://r.sec-consult.com/desktime
https://desktime.com/download
https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/
http://seclists.org/fulldisclosure/2026/Apr/20
http://seclists.org/fulldisclosure/2026/Apr/21