SEC Consult has disclosed several critical vulnerabilities in NesterSoft WorkTime, a productivity monitoring software. The flaws affect versions up to 11.8.8 and include unauthenticated OS command injection, SQL injection, and local privilege escalation. An attacker could exploit these issues to execute arbitrary commands with SYSTEM privileges or gain unauthorized access to sensitive database information.
Despite multiple attempts to contact the vendor since July 2025, NesterSoft has remained largely unresponsive regarding a comprehensive fix. Consequently, no patch is currently available for these vulnerabilities. Organizations using WorkTime are advised to contact the vendor directly and conduct thorough security reviews of their deployments to mitigate potential risks.
Top comments (0)