CVE-2025-15563
📋 TL;DR
This vulnerability allows any unauthenticated user to reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. This occurs because no authorization check is applied to the reset functionality. All WorkTime on-prem installations are affected.
💻 Affected Systems
- WorkTime on-prem
📦 What is this software?
Worktime by Nestersoft
Worktime by Nestersoft
⚠️ Risk & Real-World Impact
Worst Case
Complete database configuration reset leading to service disruption, data corruption, or unauthorized access to sensitive database information.
Likely Case
Service disruption and potential data loss from database configuration being reset to defaults.
If Mitigated
Minimal impact if proper network segmentation and authentication controls prevent unauthorized access.
🎯 Exploit Status
Simple HTTP request with no authentication required; trivial to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific version
Vendor Advisory: https://r.sec-consult.com/worktime
Restart Required: Yes
Instructions:
1. Download latest patch from vendor. 2. Apply patch according to vendor instructions. 3. Restart WorkTime service. 4. Verify fix.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to WorkTime server to authorized users only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="WORKTIME_PORT" accept'
netsh advfirewall firewall add rule name="WorkTime Access" dir=in action=allow protocol=TCP localport=WORKTIME_PORT remoteip=TRUSTED_IP
Web Application Firewall
allBlock requests to database reset endpoint
WAF rule: Block requests containing '/database/reset' or similar reset patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WorkTime server from untrusted networks
- Deploy web application firewall with rules to block database reset requests
🔍 How to Verify
Check if Vulnerable:
Send HTTP request to WorkTime server's database reset endpoint without authentication; if reset occurs, system is vulnerable.Check Version:
Check WorkTime admin interface or consult vendor documentation for version check commandVerify Fix Applied:
Attempt same unauthenticated reset request; should receive authentication error or be blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to database reset endpoints
- Database configuration change logs without user authentication
Network Indicators:
- HTTP requests to /database/reset or similar endpoints from unauthenticated sources
SIEM Query:
source="worktime" AND (uri="/database/reset" OR uri="*reset*") AND auth_status="unauthenticated"