Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App
Summary
| CVE | CVE-2025-10539 |
|---|---|
| State | PUBLISHED |
| Assigner | SEC-VLab |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-28 09:16:16 UTC |
| Updated | 2026-04-28 09:16:16 UTC |
| Description | Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client. |
Risk And Classification
Problem Types: CWE-295 | CWE-296 | CWE-494 | CWE-295 CWE-295 Improper certificate validation | CWE-296 CWE-296 Improper following of a certificate's chain of trust | CWE-494 CWE-494 Download of code without integrity check
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | DeskTime | DeskTime Time Tracking App | affected 1.3.674 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| r.sec-consult.com/desktime | 551230f0-3615-47bd-b7cc-93e92e730bbf | r.sec-consult.com | |
| desktime.com/download | 551230f0-3615-47bd-b7cc-93e92e730bbf | desktime.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Daniel Hirschberger, SEC Consult Vulnerability Lab (en)
CNA: Thorger Jansen, SEC Consult Vulnerability Lab (en)
CNA: Tobias Niemann, SEC Consult Vulnerability Lab (en)
CNA: Marius Renner, SEC Consult Vulnerability Lab (en)
Additional Advisory Data
Solutions
CNA: The vendor provides a patched version v1.3.674 which can be obtained from: https://desktime.com/download
There are currently no legacy QID mappings associated with this CVE.