{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-10639", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2025-09-17T14:05:15.138Z", "datePublished": "2025-10-21T11:36:10.097Z", "dateUpdated": "2025-10-22T19:01:38.597Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "WorkExaminer Professional", "vendor": "EfficientLab", "versions": [{"status": "affected", "version": "<= 4.0.0.52001"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tobias Niemann, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Thorger Jansen, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Marius Renner, SEC Consult Vulnerability Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The WorkExaminer Professional server installation comes with an FTP </span><span style=\"background-color: rgb(255, 255, 255);\">server that is used to receive the client logs on TCP port 12304.&nbsp;</span>An attacker with network access to this port&nbsp;can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\SYSTEM on the server by exchanging accessible service binaries<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">in the WorkExaminer installation directory (e.g. </span><span style=\"background-color: rgb(255, 255, 255);\">\"C:\\Program File (x86)\\Work Examiner Professional Server\").</span><br><br>"}], "value": "The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304.\u00a0An attacker with network access to this port\u00a0can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\SYSTEM on the server by exchanging accessible service binaries\u00a0in the WorkExaminer installation directory (e.g. \"C:\\Program File (x86)\\Work Examiner Professional Server\")."}], "impacts": [{"capecId": "CAPEC-642", "descriptions": [{"lang": "en", "value": "CAPEC-642 Replace Binaries"}]}, {"capecId": "CAPEC-191", "descriptions": [{"lang": "en", "value": "CAPEC-191 Read Sensitive Constants Within an Executable"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2025-10-21T11:36:10.097Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://r.sec-consult.com/workexaminer"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vendor responded to the submission of our security vulnerabilities by stating that they are not within the scope of their bug bounty program. After telling them that we do not care about the bug bounty but a fix for the issues, we did not receive any further response.<br><br>Hence, there is no fix available for the identified security issues and we assume that this product is unmaintained. We urge customers to contact EfficientLab regarding the issues and a potential solution, such as using another product.<br>"}], "value": "The vendor responded to the submission of our security vulnerabilities by stating that they are not within the scope of their bug bounty program. After telling them that we do not care about the bug bounty but a fix for the issues, we did not receive any further response.\n\nHence, there is no fix available for the identified security issues and we assume that this product is unmaintained. We urge customers to contact EfficientLab regarding the issues and a potential solution, such as using another product."}], "source": {"discovery": "EXTERNAL"}, "title": "Usage of Hardcoded FTP Credentials EfficientLab WorkExaminer Professional", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T19:01:35.557725Z", "id": "CVE-2025-10639", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T19:01:38.597Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-22T19:01:35.557725Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T19:01:29.522Z"}}], "cna": {"title": "Usage of Hardcoded FTP Credentials EfficientLab WorkExaminer Professional", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Tobias Niemann, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Daniel Hirschberger, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Thorger Jansen, SEC Consult Vulnerability Lab"}, {"lang": "en", "type": "finder", "value": "Marius Renner, SEC Consult Vulnerability Lab"}], "impacts": [{"capecId": "CAPEC-642", "descriptions": [{"lang": "en", "value": "CAPEC-642 Replace Binaries"}]}, {"capecId": "CAPEC-191", "descriptions": [{"lang": "en", "value": "CAPEC-191 Read Sensitive Constants Within an Executable"}]}], "affected": [{"vendor": "EfficientLab", "product": "WorkExaminer Professional", "versions": [{"status": "affected", "version": "<= 4.0.0.52001"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "The vendor responded to the submission of our security vulnerabilities by stating that they are not within the scope of their bug bounty program. After telling them that we do not care about the bug bounty but a fix for the issues, we did not receive any further response.\n\nHence, there is no fix available for the identified security issues and we assume that this product is unmaintained. We urge customers to contact EfficientLab regarding the issues and a potential solution, such as using another product.", "supportingMedia": [{"type": "text/html", "value": "The vendor responded to the submission of our security vulnerabilities by stating that they are not within the scope of their bug bounty program. After telling them that we do not care about the bug bounty but a fix for the issues, we did not receive any further response.<br><br>Hence, there is no fix available for the identified security issues and we assume that this product is unmaintained. We urge customers to contact EfficientLab regarding the issues and a potential solution, such as using another product.<br>", "base64": false}]}], "references": [{"url": "https://r.sec-consult.com/workexaminer", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304.\u00a0An attacker with network access to this port\u00a0can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\SYSTEM on the server by exchanging accessible service binaries\u00a0in the WorkExaminer installation directory (e.g. \"C:\\Program File (x86)\\Work Examiner Professional Server\").", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The WorkExaminer Professional server installation comes with an FTP </span><span style=\"background-color: rgb(255, 255, 255);\">server that is used to receive the client logs on TCP port 12304.&nbsp;</span>An attacker with network access to this port&nbsp;can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\SYSTEM on the server by exchanging accessible service binaries<span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">in the WorkExaminer installation directory (e.g. </span><span style=\"background-color: rgb(255, 255, 255);\">\"C:\\Program File (x86)\\Work Examiner Professional Server\").</span><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2025-10-21T11:36:10.097Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10639", "state": "PUBLISHED", "dateUpdated": "2025-10-22T19:01:38.597Z", "dateReserved": "2025-09-17T14:05:15.138Z", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "datePublished": "2025-10-21T11:36:10.097Z", "assignerShortName": "SEC-VLab"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304.\u00a0An attacker with network access to this port\u00a0can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\SYSTEM on the server by exchanging accessible service binaries\u00a0in the WorkExaminer installation directory (e.g. \"C:\\Program File (x86)\\Work Examiner Professional Server\")."}], "id": "CVE-2025-10639", "lastModified": "2025-10-22T19:15:32.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-10-21T12:15:34.770", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/workexaminer"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}

{}