CVE-2025-10639
📋 TL;DR
CVE-2025-10639 allows attackers with network access to TCP port 12304 to use hardcoded FTP credentials to gain SYSTEM-level remote code execution on WorkExaminer Professional servers. This affects organizations using WorkExaminer Professional for employee monitoring, particularly those with the server component exposed to untrusted networks.
💻 Affected Systems
- WorkExaminer Professional Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the server with SYSTEM privileges, allowing data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Unauthorized access to sensitive employee monitoring data and logs, with potential for privilege escalation to full system control.
If Mitigated
Limited to internal network access only, reducing exposure to trusted users who might still exploit the vulnerability.
🎯 Exploit Status
Exploitation requires knowledge of hardcoded credentials but is otherwise straightforward via FTP access and binary replacement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch exists. Follow workarounds and mitigation steps below.
🔧 Temporary Workarounds
Block FTP Port Access
windowsRestrict network access to TCP port 12304 using firewall rules to prevent unauthorized connections.
netsh advfirewall firewall add rule name="Block WorkExaminer FTP" dir=in action=block protocol=TCP localport=12304
Disable FTP Server Service
windowsStop and disable the WorkExaminer FTP server service if client log collection via FTP is not required.
sc stop "WorkExaminer FTP Service"
sc config "WorkExaminer FTP Service" start= disabled
🧯 If You Can't Patch
- Isolate the WorkExaminer server in a restricted network segment with no internet exposure and minimal internal access.
- Implement strict network monitoring and alerting for any connections to port 12304 from unauthorized sources.
🔍 How to Verify
Check if Vulnerable:
Check if TCP port 12304 is listening on the server and test FTP login with known hardcoded credentials (if available from disclosure).Check Version:
Check WorkExaminer Professional Server version via its interface or installed programs list.Verify Fix Applied:
Verify port 12304 is no longer accessible or that FTP authentication fails with hardcoded credentials after applying workarounds.📡 Detection & Monitoring
Log Indicators:
- FTP authentication logs showing successful logins from unexpected IP addresses
- Windows Event Logs showing service binary modifications or unexpected service restarts
Network Indicators:
- Unexpected FTP traffic on port 12304, especially from external or unauthorized internal IPs
- Network scans targeting port 12304
SIEM Query:
source="*ftp*" AND port=12304 AND (event="LOGIN" OR event="AUTH")