SEC Consult has disclosed multiple critical vulnerabilities in NesterSoft WorkTime (v11.8.8 and below), an employee monitoring software. The most severe flaw, CVE-2025-15559, is an unauthenticated OS command injection that allows attackers to execute arbitrary commands with SYSTEM privileges, leading to complete server takeover. Other critical issues include SQL injection vulnerabilities (CVE-2025-15560) and a local privilege escalation flaw (CVE-2025-15561) that enables attackers to elevate their status to NT Authority\SYSTEM.
Despite outreach efforts beginning in July 2025, the vendor has remained largely unresponsive, and no official patch or workaround is currently available. The advisory also highlights vulnerabilities related to reflected cross-site scripting (XSS) and broken access control, which can lead to a denial-of-service state by resetting the database configuration. Organizations using WorkTime are urged to contact the vendor immediately and conduct internal security assessments.
Top comments (0)