CVEFinder.io

CVE-2025-10539

🔶 medium
🔍 Scan for this CVE
Summary

Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.

CVSS Score
4.8
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-04-28
First Seen: 2026-05-19
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 13.8% of all 321,566 vulnerabilities in our database.

#277,081
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 28, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Daniel Hirschberger, SEC Consult Vulnerability Lab Thorger Jansen, SEC Consult Vulnerability Lab Tobias Niemann, SEC Consult Vulnerability Lab Marius Renner, SEC Consult Vulnerability Lab
SSVC data provided by CISA
Last Modified 2026-05-18
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE IDs (Weakness Types)
CWE-295 CWE-296 CWE-494

📦 Affected Products 1

Vendor Product Status Affected Versions
draugiemgroup desktime_time_tracking Affected
< 1.3.674

🔗 References 5

https://desktime.com/download
Product
https://r.sec-consult.com/desktime
Third Party Advisory
http://seclists.org/fulldisclosure/2026/Apr/20
Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2026/Apr/21
Exploit Mailing List Third Party Advisory
https://sec-consult.com/vulnerability-lab/advisory/m...
Third Party Advisory