CVE-2025-10639 (GCVE-0-2025-10639)
Vulnerability from cvelistv5
Published
2025-10-21 11:36
Modified
2025-11-03 17:31
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-798 - Use of Hard-coded Credentials
Summary
The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\SYSTEM on the server by exchanging accessible service binaries in the WorkExaminer installation directory (e.g. "C:\Program File (x86)\Work Examiner Professional Server").
References
Impacted products
Vendor Product Version
EfficientLab WorkExaminer Professional Version: <= 4.0.0.52001
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-10639",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-22T19:01:35.557725Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-22T19:01:38.597Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:34.424Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2025/Oct/19"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "WorkExaminer Professional",
          "vendor": "EfficientLab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 4.0.0.52001"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tobias Niemann, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Thorger Jansen, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marius Renner, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe WorkExaminer Professional server installation comes with an FTP \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eserver that is used to receive the client logs on TCP port 12304.\u0026nbsp;\u003c/span\u003eAn attacker with network access to this port\u0026nbsp;can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\SYSTEM on the server by exchanging accessible service binaries\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein the WorkExaminer installation directory (e.g. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\"C:\\Program File (x86)\\Work Examiner Professional Server\").\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304.\u00a0An attacker with network access to this port\u00a0can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\SYSTEM on the server by exchanging accessible service binaries\u00a0in the WorkExaminer installation directory (e.g. \"C:\\Program File (x86)\\Work Examiner Professional Server\")."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-642",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-642 Replace Binaries"
            }
          ]
        },
        {
          "capecId": "CAPEC-191",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-191 Read Sensitive Constants Within an Executable"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798 Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-21T11:36:10.097Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://r.sec-consult.com/workexaminer"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vendor responded to the submission of our security vulnerabilities by stating that they are not within the scope of their bug bounty program. After telling them that we do not care about the bug bounty but a fix for the issues, we did not receive any further response.\u003cbr\u003e\u003cbr\u003eHence, there is no fix available for the identified security issues and we assume that this product is unmaintained. We urge customers to contact EfficientLab regarding the issues and a potential solution, such as using another product.\u003cbr\u003e"
            }
          ],
          "value": "The vendor responded to the submission of our security vulnerabilities by stating that they are not within the scope of their bug bounty program. After telling them that we do not care about the bug bounty but a fix for the issues, we did not receive any further response.\n\nHence, there is no fix available for the identified security issues and we assume that this product is unmaintained. We urge customers to contact EfficientLab regarding the issues and a potential solution, such as using another product."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Usage of Hardcoded FTP Credentials EfficientLab WorkExaminer Professional",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2025-10639",
    "datePublished": "2025-10-21T11:36:10.097Z",
    "dateReserved": "2025-09-17T14:05:15.138Z",
    "dateUpdated": "2025-11-03T17:31:34.424Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-10639\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2025-10-21T12:15:34.770\",\"lastModified\":\"2025-11-03T18:15:46.290\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304.\u00a0An attacker with network access to this port\u00a0can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\\\SYSTEM on the server by exchanging accessible service binaries\u00a0in the WorkExaminer installation directory (e.g. \\\"C:\\\\Program File (x86)\\\\Work Examiner Professional Server\\\").\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"references\":[{\"url\":\"https://r.sec-consult.com/workexaminer\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"http://seclists.org/fulldisclosure/2025/Oct/19\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://seclists.org/fulldisclosure/2025/Oct/19\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T17:31:34.424Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10639\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-22T19:01:35.557725Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-22T19:01:29.522Z\"}}], \"cna\": {\"title\": \"Usage of Hardcoded FTP Credentials EfficientLab WorkExaminer Professional\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Tobias Niemann, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Daniel Hirschberger, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Thorger Jansen, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Marius Renner, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-642\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-642 Replace Binaries\"}]}, {\"capecId\": \"CAPEC-191\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-191 Read Sensitive Constants Within an Executable\"}]}], \"affected\": [{\"vendor\": \"EfficientLab\", \"product\": \"WorkExaminer Professional\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 4.0.0.52001\"}], \"defaultStatus\": \"unknown\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor responded to the submission of our security vulnerabilities by stating that they are not within the scope of their bug bounty program. After telling them that we do not care about the bug bounty but a fix for the issues, we did not receive any further response.\\n\\nHence, there is no fix available for the identified security issues and we assume that this product is unmaintained. We urge customers to contact EfficientLab regarding the issues and a potential solution, such as using another product.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The vendor responded to the submission of our security vulnerabilities by stating that they are not within the scope of their bug bounty program. After telling them that we do not care about the bug bounty but a fix for the issues, we did not receive any further response.\u003cbr\u003e\u003cbr\u003eHence, there is no fix available for the identified security issues and we assume that this product is unmaintained. We urge customers to contact EfficientLab regarding the issues and a potential solution, such as using another product.\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/workexaminer\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304.\\u00a0An attacker with network access to this port\\u00a0can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\\\SYSTEM on the server by exchanging accessible service binaries\\u00a0in the WorkExaminer installation directory (e.g. \\\"C:\\\\Program File (x86)\\\\Work Examiner Professional Server\\\").\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThe WorkExaminer Professional server installation comes with an FTP \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eserver that is used to receive the client logs on TCP port 12304.\u0026nbsp;\u003c/span\u003eAn attacker with network access to this port\u0026nbsp;can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\\\SYSTEM on the server by exchanging accessible service binaries\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ein the WorkExaminer installation directory (e.g. \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\\"C:\\\\Program File (x86)\\\\Work Examiner Professional Server\\\").\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798 Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2025-10-21T11:36:10.097Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-10639\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T17:31:34.424Z\", \"dateReserved\": \"2025-09-17T14:05:15.138Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2025-10-21T11:36:10.097Z\", \"assignerShortName\": \"SEC-VLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.