Vulnerability Description
Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Draugiemgroup | Desktime Time Tracking | < 1.3.674 |
Related Weaknesses (CWE)
References
- https://desktime.com/downloadProduct
- https://r.sec-consult.com/desktimeThird Party Advisory
- http://seclists.org/fulldisclosure/2026/Apr/20ExploitMailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2026/Apr/21ExploitMailing ListThird Party Advisory
- https://sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validThird Party Advisory
FAQ
What is CVE-2025-10539?
CVE-2025-10539 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime updat...
How severe is CVE-2025-10539?
CVE-2025-10539 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-10539?
Check the references section above for vendor advisories and patch information. Affected products include: Draugiemgroup Desktime Time Tracking.