CVE-2025-10640
Published: 21 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-10640 affects the WorkExaminer server, specifically the Professional console used for administrative access, which listens on TCP port 12306. The vulnerability stems from missing server-side authentication checks, where a custom protocol calls a stored procedure on the MSSQL database, but the return value is validated only on the client side. This client-side enforcement (CWE-602) allows attackers to bypass the login prompt entirely. The issue was published on 2025-10-21 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated attacker with network access to TCP port 12306 can exploit this flaw remotely with low complexity and no user interaction required. Successful exploitation grants full administrative access to the WorkExaminer server, exposing all sensitive monitoring data, including screenshots and keystrokes captured from monitored users.
For details on mitigation, patches, or workarounds, refer to the advisories from SEC Consult at https://r.sec-consult.com/workexaminer and the Full Disclosure mailing list posting at http://seclists.org/fulldisclosure/2025/Oct/19.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a critical authentication bypass in a network-accessible service (TCP port 12306) allowing unauthenticated remote attackers to gain full administrative access to the server, directly mapping to T1190: Exploit Public-Facing Application.