CVE-2025-10639
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-21

Last updated on: 2025-11-03

Assigner: SEC Consult Vulnerability Lab

Description
The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\SYSTEM on the server by exchanging accessible service binaries in the WorkExaminer installation directory (e.g. "C:\Program File (x86)\Work Examiner Professional Server").
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-21
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-10-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10639
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
efficientlab workexaminer_professional *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the WorkExaminer Professional server's FTP server, which uses weak hardcoded credentials on TCP port 12304. An attacker with network access to this port can log in without authentication, read and modify data including log files, and replace service binaries in the installation directory. This allows the attacker to execute code remotely with NT Authority\SYSTEM privileges, effectively gaining full control over the server. [1]

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized access to sensitive data such as logs, modification or deletion of important files, and complete takeover of the server through remote code execution with system-level privileges. This can result in data breaches, service disruption, and potential further compromise of the network environment. [1]

Detection Guidance

This vulnerability can be detected by scanning your network for open TCP port 12304, which is used by the WorkExaminer FTP server. You can use network scanning tools such as nmap to check if port 12304 is open on your servers. For example, the command 'nmap -p 12304 <target-ip>' can be used to detect if the FTP service is accessible. Additionally, attempting to log in using the known hardcoded credentials (if available) can confirm vulnerability. Monitoring for unexpected modifications in the WorkExaminer installation directory (e.g., 'C:\Program File (x86)\Work Examiner Professional Server') and checking for unusual file changes or service binary replacements can also indicate exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include restricting network access to TCP port 12304 to trusted hosts only, such as by configuring firewall rules to block unauthorized access. Since no patches or fixes are available and no workarounds exist, it is recommended to contact EfficientLab for potential solutions or consider replacing the WorkExaminer product with a more secure alternative. Monitoring the system for signs of compromise and removing or isolating affected systems can also help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart