{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15563", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2026-02-04T07:44:38.507Z", "datePublished": "2026-02-19T11:01:56.524Z", "dateUpdated": "2026-02-20T20:35:11.872Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "WorkTime (on-prem/cloud)", "vendor": "NesterSoft Inc.", "versions": [{"status": "affected", "version": "<= 11.8.8"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tobias Niemann, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Thorger Jansen, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Marius Renner, SEC Consult Vulnerability Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p></p><p>Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.</p><p></p><p></p>"}], "value": "Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here."}], "impacts": [{"capecId": "CAPEC-166", "descriptions": [{"lang": "en", "value": "CAPEC-166 Force the System to Reset Values"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-02-19T11:01:56.524Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://r.sec-consult.com/worktime"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.<br>"}], "value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues."}], "source": {"discovery": "EXTERNAL"}, "title": "Broken Access Control results in Denial of Service in NesterSoft WorkTime", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T20:34:46.208230Z", "id": "CVE-2025-15563", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:35:11.872Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Broken Access Control results in Denial of Service in NesterSoft WorkTime", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Tobias Niemann, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Thorger Jansen, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Marius Renner, SEC Consult Vulnerability Lab"}], "impacts": [{"capecId": "CAPEC-166", "descriptions": [{"lang": "en", "value": "CAPEC-166 Force the System to Reset Values"}]}], "affected": [{"vendor": "NesterSoft Inc.", "product": "WorkTime (on-prem/cloud)", "versions": [{"status": "affected", "version": "<= 11.8.8"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.", "supportingMedia": [{"type": "text/html", "value": "The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.<br>", "base64": false}]}], "references": [{"url": "https://r.sec-consult.com/worktime", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.", "supportingMedia": [{"type": "text/html", "value": "<p></p><p></p><p>Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.</p><p></p><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-02-19T11:01:56.524Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-15563", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T20:34:46.208230Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-20T20:35:04.792Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-15563", "state": "PUBLISHED", "dateUpdated": "2026-02-19T11:01:56.524Z", "dateReserved": "2026-02-04T07:44:38.507Z", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "datePublished": "2026-02-19T11:01:56.524Z", "assignerShortName": "SEC-VLab"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nestersoft:worktime:*:*:*:*:cloud:*:*:*", "matchCriteriaId": "F8A53FE8-6F29-462D-B7EB-C3E4F25DBEC3", "versionEndIncluding": "11.8.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:nestersoft:worktime:*:*:*:*:on-premise:*:*:*", "matchCriteriaId": "0A831FDF-1B71-48B4-BA2D-D2EFB151161A", "versionEndIncluding": "11.8.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here."}, {"lang": "es", "value": "Cualquier usuario no autenticado puede restablecer la configuraci\u00f3n de la base de datos local de WorkTime enviando una solicitud HTTP espec\u00edfica al servidor de WorkTime. No se aplica ninguna comprobaci\u00f3n de autorizaci\u00f3n aqu\u00ed."}], "id": "CVE-2025-15563", "lastModified": "2026-02-26T03:01:05.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T11:15:56.983", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "tags": ["Third Party Advisory"], "url": "https://r.sec-consult.com/worktime"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}

{}

{"created": "2026-02-20T10:07:14.242558+00:00", "updated": "2026-02-20T10:07:14.242633+00:00", "vendors": ["nestersoft", "nestersoft$PRODUCT$worktime"]}