CVE-2025-15561
Awaiting Analysis Awaiting Analysis - Queue
Privilege Escalation via Writable Directory in WorkTime Daemon

Publication date: 2026-02-19

Last updated on: 2026-02-26

Assigner: SEC Consult Vulnerability Lab

Description
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be namedΒ  WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15561
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nestersoft worktime to 11.8.8 (inc)
nestersoft worktime to 11.8.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the WorkTime monitoring daemon's update behavior, which can be exploited by an attacker to gain elevated privileges on the local system.

Specifically, if a malicious executable named WTWatch.exe is placed in the C:\ProgramData\wta\ClientExe directoryβ€”a directory writable by everyoneβ€”the WorkTime monitoring daemon will execute this file.

As a result, the attacker can run code with NT Authority\SYSTEM privileges, effectively gaining full control over the system.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary code with the highest system privileges (NT Authority\SYSTEM).

This can lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, disruption of system operations, and potential further attacks within a network.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart