CVE-2025-15561 (GCVE-0-2025-15561)

Vulnerability from cvelistv5 – Published: 2026-02-19 10:53 – Updated: 2026-02-23 18:26
VLAI?
Title
Local Privilege Escalation in NesterSoft WorkTime
Summary
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named  WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
https://r.sec-consult.com/worktime third-party-advisory
Impacted products
Vendor Product Version
NesterSoft Inc. WorkTime (on-prem/cloud) Affected: <= 11.8.8
Create a notification for this product.
Credits
Tobias Niemann, SEC Consult Vulnerability Lab Daniel Hirschberger, SEC Consult Vulnerability Lab Thorger Jansen, SEC Consult Vulnerability Lab Marius Renner, SEC Consult Vulnerability Lab
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-15561",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-23T18:26:10.960311Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-23T18:26:47.903Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "WorkTime (on-prem/cloud)",
          "vendor": "NesterSoft Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 11.8.8"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tobias Niemann, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Thorger Jansen, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marius Renner, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\\SYSTEM. A malicious executable must be named\u0026nbsp; WTWatch.exe and dropped in the C:\\ProgramData\\wta\\ClientExe directory, which is writable by \"Everyone\". The executable will then be run by the WorkTime monitoring daemon.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\\SYSTEM. A malicious executable must be named\u00a0 WTWatch.exe and dropped in the C:\\ProgramData\\wta\\ClientExe directory, which is writable by \"Everyone\". The executable will then be run by the WorkTime monitoring daemon."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T10:53:18.501Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://r.sec-consult.com/worktime"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.\u003cbr\u003e"
            }
          ],
          "value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Local Privilege Escalation in NesterSoft WorkTime",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2025-15561",
    "datePublished": "2026-02-19T10:53:18.501Z",
    "dateReserved": "2026-02-04T07:44:34.747Z",
    "dateUpdated": "2026-02-23T18:26:47.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-15561\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-23T18:26:10.960311Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-23T18:26:40.213Z\"}}], \"cna\": {\"title\": \"Local Privilege Escalation in NesterSoft WorkTime\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Tobias Niemann, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Daniel Hirschberger, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Thorger Jansen, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Marius Renner, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-233\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-233 Privilege Escalation\"}]}], \"affected\": [{\"vendor\": \"NesterSoft Inc.\", \"product\": \"WorkTime (on-prem/cloud)\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 11.8.8\"}], \"defaultStatus\": \"unknown\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/worktime\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\\\\SYSTEM. A malicious executable must be named\\u00a0 WTWatch.exe and dropped in the C:\\\\ProgramData\\\\wta\\\\ClientExe directory, which is writable by \\\"Everyone\\\". The executable will then be run by the WorkTime monitoring daemon.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAn attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\\\\SYSTEM. A malicious executable must be named\u0026nbsp; WTWatch.exe and dropped in the C:\\\\ProgramData\\\\wta\\\\ClientExe directory, which is writable by \\\"Everyone\\\". The executable will then be run by the WorkTime monitoring daemon.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269 Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-02-19T10:53:18.501Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-15561\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-23T18:26:47.903Z\", \"dateReserved\": \"2026-02-04T07:44:34.747Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2026-02-19T10:53:18.501Z\", \"assignerShortName\": \"SEC-VLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.