CVE-2025-10639
BaseFortify
Publication date: 2025-10-21
Last updated on: 2025-11-03
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| efficientlab | workexaminer_professional | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the WorkExaminer Professional server's FTP server, which uses weak hardcoded credentials on TCP port 12304. An attacker with network access to this port can log in without authentication, read and modify data including log files, and replace service binaries in the installation directory. This allows the attacker to execute code remotely with NT Authority\SYSTEM privileges, effectively gaining full control over the server. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized access to sensitive data such as logs, modification or deletion of important files, and complete takeover of the server through remote code execution with system-level privileges. This can result in data breaches, service disruption, and potential further compromise of the network environment. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning your network for open TCP port 12304, which is used by the WorkExaminer FTP server. You can use network scanning tools such as nmap to check if port 12304 is open on your servers. For example, the command 'nmap -p 12304 <target-ip>' can be used to detect if the FTP service is accessible. Additionally, attempting to log in using the known hardcoded credentials (if available) can confirm vulnerability. Monitoring for unexpected modifications in the WorkExaminer installation directory (e.g., 'C:\Program File (x86)\Work Examiner Professional Server') and checking for unusual file changes or service binary replacements can also indicate exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to TCP port 12304 to trusted hosts only, such as by configuring firewall rules to block unauthorized access. Since no patches or fixes are available and no workarounds exist, it is recommended to contact EfficientLab for potential solutions or consider replacing the WorkExaminer product with a more secure alternative. Monitoring the system for signs of compromise and removing or isolating affected systems can also help reduce risk. [1]