CVE-2025-10639
Published: 21 October 2025
Description
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Security Summary
CVE-2025-10639 affects the WorkExaminer Professional server installation, which includes an FTP server listening on TCP port 12304 for receiving client logs. The vulnerability stems from weak hardcoded credentials (CWE-798: Use of Hard-coded Credentials) that allow unauthorized access to this FTP service. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and potential for high confidentiality, integrity, and availability impacts.
An attacker with network access to TCP port 12304 can exploit the weak hardcoded credentials to log into the FTP server. This grants the ability to read or modify data and log files. Escalation to remote code execution as NT Authority\SYSTEM is possible by exchanging accessible service binaries within the WorkExaminer installation directory, such as "C:\Program Files (x86)\Work Examiner Professional Server."
Advisories detailing the vulnerability and mitigation recommendations are available from SEC Consult at https://r.sec-consult.com/workexaminer and on the Full Disclosure mailing list at http://seclists.org/fulldisclosure/2025/Oct/19.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Hardcoded credentials enable T1078.001 for initial FTP access (T1190 on public-facing service); FTP write access to service binaries facilitates T1574.010 for SYSTEM RCE.