CVE-2025-10539

MEDIUM

Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App

Title source: cna

Description

Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.

References (5)

[Third Party Advisory] https://r.sec-consult.com/desktime

[Patch] https://desktime.com/download

[Vendor Advisory] https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/

[Mailing List] http://seclists.org/fulldisclosure/2026/Apr/20

[Mailing List] http://seclists.org/fulldisclosure/2026/Apr/21

Scores

CVSS v3 4.8

EPSS 0.0002

EPSS Percentile 6.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-295 CWE-296 CWE-494

Status published

Products (1)

DeskTime/DeskTime Time Tracking App < 1.3.674

Published Apr 28, 2026

Tracked Since Apr 28, 2026