CVE-2025-10539
MEDIUMImproper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App
Title source: cnaDescription
Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
References (5)
Core 5
Core References
Third Party Advisory third-party-advisory
https://r.sec-consult.com/desktime
Patch patch
https://desktime.com/download
Vendor Advisory
https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/
Mailing List
http://seclists.org/fulldisclosure/2026/Apr/20
Mailing List
http://seclists.org/fulldisclosure/2026/Apr/21
Scores
CVSS v3
4.8
EPSS
0.0018
EPSS Percentile
7.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
CWE-296
CWE-494
Status
published
Products (2)
DeskTime/DeskTime Time Tracking App
< 1.3.674
draugiemgroup/desktime_time_tracking
< 1.3.674
Published
Apr 28, 2026
Tracked Since
Apr 28, 2026