CVE-2025-15561 | THREATINT

Description

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.

PUBLISHED Reserved 2026-02-04 | Published 2026-02-19 | Updated 2026-02-23 | Assigner SEC-VLab

Problem types

CWE-269 Improper Privilege Management

Product status

Default status

unknown

<= 11.8.8

affected

Credits

Tobias Niemann, SEC Consult Vulnerability Lab finder

Daniel Hirschberger, SEC Consult Vulnerability Lab finder

Thorger Jansen, SEC Consult Vulnerability Lab finder

Marius Renner, SEC Consult Vulnerability Lab finder

References

r.sec-consult.com/worktime third-party-advisory

cve.org (CVE-2025-15561)

nvd.nist.gov (CVE-2025-15561)

Download JSON