← Zuruck zu CVEs
CVE-2025-10539
MEDIUM4.8
Beschreibung
Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
CVE Details
CVSS v3.1 Bewertung4.8
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
AngriffsvektorNETWORK
KomplexitatHIGH
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht4/28/2026
Zuletzt geandert4/29/2026
Quellenvd
Honeypot-Sichtungen0
Schwachen (CWE)
CWE-295CWE-296CWE-494
Referenzen
https://desktime.com/download(551230f0-3615-47bd-b7cc-93e92e730bbf)
https://r.sec-consult.com/desktime(551230f0-3615-47bd-b7cc-93e92e730bbf)
http://seclists.org/fulldisclosure/2026/Apr/20(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2026/Apr/21(af854a3a-2127-422b-91ae-364da2661108)
https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.