PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-10539 Draugiemgroup CVE debrief

CVE-2025-10539 covers improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674. According to NVD and the referenced SEC Consult advisory, an attacker who can position themselves between the client and the DeskTime update servers may be able to replace an update response with a malicious executable. The practical outcome is user-level remote code execution on affected clients, but the attack requires network-path positioning, which is reflected in the CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) and the Medium severity score of 4.8.

Vendor
Draugiemgroup
Product
Desktime Time Tracking
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-28
Original CVE updated
2026-05-18
Advisory published
2026-04-28
Advisory updated
2026-05-18

Who should care

Organizations using DeskTime Time Tracking App on managed endpoints, especially teams that rely on automatic updates and may run the client on untrusted or interceptable networks. Security and IT operations teams should also care because the issue affects the software update channel, not just the local application runtime.

Technical summary

NVD describes CVE-2025-10539 as a TLS validation failure in DeskTime Time Tracking App versions before 1.3.674. The weakness can let a network-positioned attacker intercept update traffic and return a malicious executable instead of the expected update. The NVD record maps the issue to CWE-295, CWE-296, and CWE-494, consistent with certificate-validation and untrusted-update delivery problems. The result is user-level RCE on the client when the malicious update is accepted and run.

Defensive priority

Medium; prioritize if DeskTime clients are allowed to update over networks that could be intercepted or if endpoints are exposed to hostile network paths.

Recommended defensive actions

  • Upgrade DeskTime Time Tracking App to version 1.3.674 or later.
  • Verify that update traffic is protected by proper TLS certificate validation and that clients are not accepting invalid certificates.
  • Restrict or monitor software update traffic from endpoints where interception risk is higher, such as public or unmanaged networks.
  • Review endpoint protections for downloaded executables and alert on unexpected DeskTime update binaries or unusual parent-child process chains.
  • Use the SEC Consult advisory and vendor download/reference pages to confirm your deployed version and remediation status.

Evidence notes

This debrief is based on the supplied NVD record for CVE-2025-10539 and the linked third-party advisory references. The NVD entry states: DeskTime Time Tracking App before 1.3.674 is affected; the CVSS vector is AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N; and the weaknesses include CWE-295, CWE-296, and CWE-494. The record also references DeskTime product/download information, a SEC Consult advisory titled "missing TLS certificate validation leading to RCE in DeskTime Time Tracking App," and public full-disclosure mailing-list threads.

Official resources

Publicly disclosed in the NVD record on 2026-04-28, with the record last modified on 2026-05-18. NVD cites a third-party advisory and public disclosure threads as references.