CVE-2025-10639
Published: 21 October 2025
Summary
CVE-2025-10639 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Sec Consult (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates management of authenticators to prohibit hardcoded weak credentials, directly preventing unauthorized FTP server logins.
SI-2 requires identification, reporting, and remediation of flaws like hardcoded credentials in the WorkExaminer FTP server, eliminating the vulnerability.
AC-17 establishes controls for remote access to services like the FTP server on TCP port 12304, restricting unauthorized network access and sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credentials enable T1078.001 for initial FTP access (T1190 on public-facing service); FTP write access to service binaries facilitates T1574.010 for SYSTEM RCE.
NVD Description
The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to login to the FTP…
more
server and modify or read data, log files and gain remote code execution as NT Authority\SYSTEM on the server by exchanging accessible service binaries in the WorkExaminer installation directory (e.g. "C:\Program File (x86)\Work Examiner Professional Server").
Deeper analysisAI
CVE-2025-10639 affects the WorkExaminer Professional server installation, which includes an FTP server listening on TCP port 12304 for receiving client logs. The vulnerability stems from weak hardcoded credentials (CWE-798: Use of Hard-coded Credentials) that allow unauthorized access to this FTP service. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and potential for high confidentiality, integrity, and availability impacts.
An attacker with network access to TCP port 12304 can exploit the weak hardcoded credentials to log into the FTP server. This grants the ability to read or modify data and log files. Escalation to remote code execution as NT Authority\SYSTEM is possible by exchanging accessible service binaries within the WorkExaminer installation directory, such as "C:\Program Files (x86)\Work Examiner Professional Server."
Advisories detailing the vulnerability and mitigation recommendations are available from SEC Consult at https://r.sec-consult.com/workexaminer and on the Full Disclosure mailing list at http://seclists.org/fulldisclosure/2025/Oct/19.
Details
- CWE(s)