Description
An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.
References (1)
Core 1
Core References
Various Sources third-party-advisory
https://r.sec-consult.com/worktime
Scores
CVSS v3
9.8
EPSS
0.0044
EPSS Percentile
35.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
nestersoft/worktime
< 11.8.8 (2 CPE variants)
Published
Feb 19, 2026
Tracked Since
Feb 19, 2026