CVE-2025-10539 - Vulnerability Details

- Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App

Description

Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.

Published: 2026-04-28

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

DeskTime Time Tracking App processes update requests from its servers but fails to properly validate TLS certificates. When an attacker can insert themselves in the network path between a client and the update server, they can supply a malicious executable in the update response. The client then accepts and runs the file, giving the attacker code execution on the endpoint at the user’s level. This weakness is associated with certificate validation and code signing failures (CWE-295, CWE-296, CWE-494).

Affected Systems

All installations of DeskTime Time Tracking App running any version earlier than v1.3.674 are affected. The vendor’s official fix is the patched release v1.3.674, available from the DeskTime download page.

Risk and Exploitability

With a CVSS score of 4.8, the vulnerability is considered moderate severity. The EPSS score of less than 1 % indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. Nonetheless, attackers with a position in the network path could exploit this flaw. Remediation requires applying the vendor patch, enforcing strict TLS certificate validation for update traffic, or blocking outgoing connections to the update servers if patching cannot yet occur.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

DeskTime

DeskTime Time Tracking App

unaffected

Version	Status	Constraints
`0`	affected	< 1.3.674

No data.

Vendor Product Confidence Versions

Desktime

Desktime Time Tracking App

100%

Version	Status	Scheme	Platform
`[0,1.3.674)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

The vendor provides a patched version v1.3.674 which can be obtained from: https://desktime.com/download

OpenCVE Recommended Actions

Apply the vendor‑supplied patch to version v1.3.674 or later from the DeskTime download page.
Configure network or endpoint software to enforce TLS certificate validation for update traffic, for example by enabling certificate pinning or using a trusted proxy that verifies certificates.
If immediate patching is not possible, block or monitor traffic to the DeskTime update servers to prevent a man‑in‑the‑middle from injecting malicious executables.

Generated by OpenCVE AI on April 28, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://desktime.com/download
https://r.sec-consult.com/desktime
https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/

History

Wed, 29 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Desktime Desktime desktime Time Tracking App
Vendors & Products		Desktime Desktime desktime Time Tracking App

Tue, 28 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
References		https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/

Tue, 28 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
Title		Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App
Weaknesses		CWE-295 CWE-296 CWE-494
References		https://desktime.com/download https://r.sec-consult.com/desktime

Subscriptions

Desktime Desktime Time Tracking App

MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published: 2026-04-28T07:52:23.279Z

Updated: 2026-04-28T14:10:50.831Z

Reserved: 2025-09-16T07:39:47.680Z

Link: CVE-2025-10539

Vulnrichment

Updated: 2026-04-28T14:09:38.312Z

NVD

Status : Awaiting Analysis

Published: 2026-04-28T09:16:16.187

Modified: 2026-04-28T20:23:20.703

Link: CVE-2025-10539

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T10:11:00Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object