Platform
windows
Component
worktime
Fixed in
11.8.9
CVE-2025-15561 describes a Privilege Escalation vulnerability affecting WorkTime versions up to 11.8.8. This vulnerability allows a malicious actor to gain SYSTEM-level privileges on a Windows system. By strategically placing a malicious executable, an attacker can leverage WorkTime's update mechanism to execute code with the highest possible privileges. A patch is expected to address this issue.
The impact of CVE-2025-15561 is severe, as successful exploitation grants an attacker complete control over the affected system. An attacker could install malware, steal sensitive data, modify system configurations, or establish a persistent foothold within the network. The ease of exploitation, requiring only the placement of a file in a world-writable directory, significantly increases the risk. This vulnerability shares similarities with other privilege escalation exploits that leverage trusted processes to execute malicious code, potentially leading to widespread compromise if left unaddressed.
CVE-2025-15561 was publicly disclosed on 2026-02-19. The EPSS score is currently pending evaluation, but the ease of exploitation suggests a potentially high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.01% (3% percentile)
The primary mitigation for CVE-2025-15561 is to upgrade WorkTime to a patched version as soon as it becomes available. Until a patch is released, restrict write access to the C:\ProgramData\wta\ClientExe directory to only the WorkTime service account. Consider implementing application whitelisting to prevent the execution of unauthorized executables. Monitor the directory for unexpected file creations and deletions. After upgrading, verify the fix by attempting to place a test executable in the directory and confirming that it is not executed by the WorkTime monitoring daemon.
Update WorkTime to a version later than 11.8.8. This will resolve the local privilege escalation vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15561 is a vulnerability in WorkTime versions up to 11.8.8 that allows an attacker to gain SYSTEM privileges by placing a malicious executable in a specific directory.
You are affected if you are using WorkTime version 11.8.8 or earlier. Check your installed version against the affected range to determine your risk.
Upgrade to a patched version of WorkTime as soon as it becomes available. Until then, restrict write access to the vulnerable directory and consider application whitelisting.
While no public exploits are currently known, the vulnerability's simplicity suggests a high likelihood of exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the WorkTime vendor's website and security advisory page for updates and official information regarding CVE-2025-15561.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.