Back to search
CVE-2025-10539
Published: Apr 28, 2026
Modified: Apr 29, 2026
PUBLISHED
Description
Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
| Vendor | Product | Versions |
|---|---|---|
DeskTime | DeskTime Time Tracking App | affected 0 - < 1.3.674 |
References
https://r.sec-consult.com/desktime
third-party-advisory
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now