Improper TLS Certificate Validation RCE via Malicious Update in DeskTime...

4.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.

Basic Information

ID CVE-2025-10539

Source SEC-VLab

Published Apr 28, 2026 at 07:52

Modified Apr 28, 2026 at 14:10

Affected Product

Vendor DeskTime

Product DeskTime Time Tracking App

Affected Versions DeskTime DeskTime Time Tracking App 0

CWE Classification

CWE-295 CWE-296 CWE-494

References

{
    "lastseen": "",
    "description": "Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.",
    "published": "2026-04-28T07:52:23.279Z",
    "modified": "2026-04-28T14:10:50.831Z",
    "type": "cve",
    "title": "Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App",
    "source": "SEC-VLab",
    "references": "https://r.sec-consult.com/desktime\nhttps://desktime.com/download",
    "id": "CVE-2025-10539",
    "bulletinFamily": "",
    "cwe": [
        "CWE-295",
        "CWE-296",
        "CWE-494"
    ],
    "cvelist": null,
    "sourceData": "DeskTime DeskTime Time Tracking App 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "DeskTime Time Tracking App",
    "version": "0",
    "vendor": "DeskTime",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App_CVE-2025-10539