Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
WorkTime Monitoring Daemon Can Run Malicious Executables with Admin Privileges
CVE-2025-15561
Summary
An attacker can use a malicious executable to gain administrator access on a computer running WorkTime. This happens if the malicious file is placed in a specific directory and has a certain name. To prevent this, ensure that only authorized users have write access to the directory and that the WorkTime monitoring daemon is configured to run with limited privileges.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| nestersoft | worktime | <= 11.8.8 | – |
| nestersoft | worktime | <= 11.8.8 | – |
Original title
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and...
Original description
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.
nvd CVSS3.1
7.8
Vulnerability type
CWE-269
Improper Privilege Management
- https://r.sec-consult.com/worktime Third Party Advisory
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026