CVE-2025-10539

4.8 MEDIUM
Published: April 28, 2026 Modified: May 18, 2026
View on NVD

Description

Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://desktime.com/download
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf
Product
https://r.sec-consult.com/desktime
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf
Third Party Advisory
http://seclists.org/fulldisclosure/2026/Apr/20
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2026/Apr/21
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Mailing List Third Party Advisory

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.8 / 10.0
EPSS (Exploit Probability)
0.2%
8th percentile
Exploitation Status
Not in CISA KEV

Affected Vendors

draugiemgroup