CVE-2025-15561 PUBLISHED

Local Privilege Escalation in NesterSoft WorkTime

Assigner: SEC-VLab
Reserved: 04.02.2026 Published: 19.02.2026 Updated: 19.02.2026

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.

Product Status

Vendor	NesterSoft Inc.
Product	WorkTime (on-prem/cloud)
Versions	Default: unknown Version <= 11.8.8 is affected

Solutions

The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.

Credits

Tobias Niemann, SEC Consult Vulnerability Lab finder
Daniel Hirschberger, SEC Consult Vulnerability Lab finder
Thorger Jansen, SEC Consult Vulnerability Lab finder
Marius Renner, SEC Consult Vulnerability Lab finder

References

https://r.sec-consult.com/worktime

Problem Types

CWE-269 Improper Privilege Management CWE

Impacts

CAPEC-233 Privilege Escalation