Plattform
windows
Komponente
worktime
Behoben in
11.8.9
CVE-2025-15561 describes a Privilege Escalation vulnerability affecting WorkTime versions up to 11.8.8. This flaw allows an attacker to gain SYSTEM-level privileges on the affected Windows system. The vulnerability stems from the update behavior of the WorkTime monitoring daemon, which inadvertently executes a malicious file if it's placed in a publicly writable directory. A patch is expected to address this issue.
The impact of CVE-2025-15561 is severe, as successful exploitation grants an attacker complete control over the compromised system. An attacker could install malware, steal sensitive data, modify system configurations, or pivot to other systems on the network. The ease of exploitation is concerning; simply dropping a specially crafted executable (WTWatch.exe) into a writable directory is sufficient to trigger the privilege escalation. This vulnerability shares similarities with other privilege escalation exploits that leverage auto-execution features of legitimate software.
CVE-2025-15561 is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is not yet publicly available, but the vulnerability's simplicity suggests that a PoC could be developed relatively easily. The vulnerability was publicly disclosed on 2026-02-19.
Organizations using WorkTime for monitoring and management, particularly those with legacy configurations or shared hosting environments, are at risk. Systems where the C:\ProgramData\wta\ClientExe directory has overly permissive access controls are especially vulnerable. Environments with limited security monitoring or application whitelisting are also at increased risk.
• windows / supply-chain:
Get-ChildItem -Path "C:\ProgramData\wta\ClientExe" -Filter WTWatch.exe -Recurse• windows / supply-chain:
Get-Acl -Path "C:\ProgramData\wta\ClientExe"• windows / supply-chain:
Check Windows Defender for alerts related to suspicious processes running from C:\ProgramData\wta\ClientExe.
• windows / supply-chain:
Use Autoruns (Sysinternals) to check for any unusual entries related to WorkTime or WTWatch.exe.
disclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
The primary mitigation for CVE-2025-15561 is to upgrade WorkTime to a patched version as soon as it becomes available. Until a patch is released, restrict write access to the C:\ProgramData\wta\ClientExe directory to only the WorkTime service account. Consider implementing a Web Application Firewall (WAF) or proxy to monitor and block suspicious file uploads to this directory. Regularly scan the directory for unexpected files named WTWatch.exe. After upgrading, confirm the fix by attempting to place a test executable in the directory and verifying that it is not executed by the WorkTime monitoring daemon.
Aktualisieren Sie WorkTime auf eine Version nach 11.8.8. Dies behebt die lokale Privilegieeskaltions-Vulnerabilität.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15561 is a vulnerability in WorkTime versions up to 11.8.8 that allows an attacker to gain SYSTEM privileges by placing a malicious executable in a specific directory.
You are affected if you are using WorkTime version 11.8.8 or earlier. Check your installed version against the affected range to determine your risk.
Upgrade to a patched version of WorkTime as soon as it becomes available. Until then, restrict write access to the vulnerable directory and consider application whitelisting.
While no public exploits are currently known, the vulnerability's simplicity suggests a high likelihood of exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the WorkTime vendor's website and security advisory page for updates and official information regarding CVE-2025-15561.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.