Medium severity4.8NVD Advisory· Published Apr 28, 2026· Updated May 18, 2026
CVE-2025-10539
CVE-2025-10539
Description
Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- cpe:2.3:a:draugiemgroup:desktime_time_tracking:*:*:*:*:*:*:*:*Range: <1.3.674
- Range: <1.3.674
Patches
Vulnerability mechanics
References
5- seclists.org/fulldisclosure/2026/Apr/20nvdExploitMailing ListThird Party Advisory
- seclists.org/fulldisclosure/2026/Apr/21nvdExploitMailing ListThird Party Advisory
- r.sec-consult.com/desktimenvdThird Party Advisory
- sec-consult.com/vulnerability-lab/advisory/missing-tls-certificate-validation-leading-to-rce-in-desktime-time-tracking-app/nvdThird Party Advisory
- desktime.com/downloadnvdProduct
News mentions
0No linked articles in our index yet.