CVE-2025-15561
📋 TL;DR
This vulnerability allows local attackers to achieve privilege escalation to SYSTEM level by placing a malicious executable in a world-writable directory. The WorkTime monitoring daemon will automatically execute any file named WTWatch.exe in that directory. Organizations using WorkTime monitoring software are affected.
💻 Affected Systems
- WorkTime monitoring software
📦 What is this software?
Worktime by Nestersoft
Worktime by Nestersoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper file system permissions are enforced and endpoint protection blocks unauthorized executable creation.
🎯 Exploit Status
Exploitation requires local access but is trivial - simply copy a malicious executable to the vulnerable directory with the correct filename.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://r.sec-consult.com/worktime
Restart Required: No
Instructions:
No official patch available. Apply workarounds and monitor vendor for updates.
🔧 Temporary Workarounds
Restrict directory permissions
windowsRemove 'Everyone' write permissions from the vulnerable directory
icacls "C:\ProgramData\wta\ClientExe" /remove:g Everyone:(OI)(CI)W
icacls "C:\ProgramData\wta\ClientExe" /deny Everyone:(OI)(CI)W
Enable file integrity monitoring
windowsMonitor for unauthorized file creation in the vulnerable directory
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into systems running WorkTime
- Deploy endpoint detection and response (EDR) to detect and block unauthorized executable creation
🔍 How to Verify
Check if Vulnerable:
Check if C:\ProgramData\wta\ClientExe exists and has 'Everyone' write permissions using: icacls "C:\ProgramData\wta\ClientExe"Check Version:
Check WorkTime version through installed programs or vendor documentationVerify Fix Applied:
Verify 'Everyone' no longer has write permissions to the directory and test that unauthorized files cannot be created📡 Detection & Monitoring
Log Indicators:
- File creation events in C:\ProgramData\wta\ClientExe directory
- Process creation events for WTWatch.exe from unusual locations
Network Indicators:
- Outbound connections from WTWatch.exe to unexpected destinations
SIEM Query:
EventID=4688 AND NewProcessName:*WTWatch.exe AND NOT ProcessName:*C:\ProgramData\wta\ClientExe\*