CVE-2025-15563
Unauthorized Configuration Reset in WorkTime On-Prem via HTTP Request
Publication date: 2026-02-19
Last updated on: 2026-02-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nestersoft | worktime | to 11.8.8 (inc) |
| nestersoft | worktime | to 11.8.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows any unauthenticated user to reset the WorkTime on-premises database configuration by sending a specific HTTP request to the WorkTime server.
There is no authorization check applied, meaning that the server does not verify if the requester has permission to perform this action.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to reset the database configuration without any authentication.
This could lead to disruption of service, loss of data integrity, or unauthorized changes to the system configuration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know