CVE-2025-15559

Critical

Published: 19 February 2026

Published

19 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 46.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an…

attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of the 'guid' parameter in the WorkTime server API to directly prevent OS command injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific command injection flaw in the WorkTime server API endpoint to eliminate the vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the WorkTime server process to restrict the impact of injected commands beyond NT Authority\SYSTEM privileges.

Security SummaryAI

CVE-2025-15559 is an OS command injection vulnerability (CWE-78) affecting NesterSoft WorkTime, a time-tracking software. The issue resides in the server API endpoint responsible for generating and downloading the WorkTime client, where the "guid" parameter fails to properly sanitize input, enabling unauthenticated attackers to inject arbitrary OS commands on the WorkTime server.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows execution of arbitrary commands as NT Authority\SYSTEM with the highest privileges, granting attackers the ability to access or manipulate sensitive data and achieve full takeover of the WorkTime server.

Mitigation details are available in the SEC Consult advisory at https://r.sec-consult.com/worktime.

Details

CWE(s): CWE-78

Affected Products

nestersoft

worktime

≤ 11.8.8 · ≤ 11.8.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated exploitation of a public-facing server API (T1190) via OS command injection, allowing arbitrary Windows command execution as SYSTEM (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://r.sec-consult.com/worktime
Third Party Advisory · 551230f0-3615-47bd-b7cc-93e92e730bbf