CVE-2025-10539

Sažetak

Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.

Reference

https://desktime.com/download
https://r.sec-consult.com/desktime
http://seclists.org/fulldisclosure/2026/Apr/20
http://seclists.org/fulldisclosure/2026/Apr/21
https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/

CVSS

Base:	4.8
Impact:	2.5
Exploitability:	2.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Zadnje važnije ažuriranje

29-04-2026 - 20:16

Objavljeno

28-04-2026 - 09:16