Missing Certificate Validation in CleverControl Installer Allows Remote Code Execution

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Description

The CleverControl employee monitoring software (v11.5.1041.6) fails to validate TLS server certificates during the installation process. The installer downloads and executes external components using curl.exe --insecure, enabling a man-in-the-middle attacker to deliver malicious files that are executed with SYSTEM privileges. This can lead to full remote code execution with administrative rights. No patch is available as the vendor has been unresponsive. It is assumed that previous versions are also affected, but this is not confirmed.

Basic Information

ID CVE-2025-10548

Source SEC-VLab

Published Sep 23, 2025 at 06:49

Modified Sep 23, 2025 at 19:34

Affected Product

Vendor CleverControl

Product CleverControl employee monitoring software

Version 11.5.1041.6

Affected Versions CleverControl CleverControl employee monitoring software 11.5.1041.6

CWE Classification

CWE-295

References

r.sec-consult.com /clevercontrol

{
    "lastseen": "",
    "description": "The CleverControl employee monitoring software (v11.5.1041.6) fails to validate TLS server certificates during the installation process. The installer downloads and executes external components using curl.exe --insecure, enabling a man-in-the-middle attacker to deliver malicious files that are executed with SYSTEM privileges. This can lead to full remote code execution with administrative rights. No patch is available as the vendor has been unresponsive. It is assumed that previous versions are also affected, but this is not confirmed.",
    "published": "2025-09-23T06:49:33.659Z",
    "modified": "2025-09-23T19:34:50.357Z",
    "type": "cve",
    "title": "Missing Certificate Validation in CleverControl Installer Allows Remote Code Execution",
    "source": "SEC-VLab",
    "references": "https://r.sec-consult.com/clevercontrol",
    "id": "CVE-2025-10548",
    "bulletinFamily": "",
    "cwe": [
        "CWE-295"
    ],
    "cvelist": null,
    "sourceData": "CleverControl CleverControl employee monitoring software 11.5.1041.6",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CleverControl employee monitoring software",
    "version": "11.5.1041.6",
    "vendor": "CleverControl",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Missing Certificate Validation in CleverControl Installer Allows Remote Code Execution_CVE-2025-10548