CVE-2025-15559

Name of the Vulnerable Software and Affected Versions NesterSoft WorkTime (affected versions not specified)

Description An unauthenticated attacker can inject OS commands when calling a server API endpoint. The server API call to generate and download the WorkTime client is vulnerable through the guid parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT AuthoritySYSTEM with the highest privileges, potentially enabling access to or manipulation of sensitive data and complete server takeover.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.