CVE-2025-10640
Published: 21 October 2025
Summary
CVE-2025-10640 is a critical-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Sec Consult (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access server-side, directly addressing the missing validation of stored procedure return values that allows authentication bypass.
Requires unique identification and authentication of organizational users before granting access to the administrative console, preventing unauthenticated exploitation.
Limits and documents permitted actions without identification or authentication, prohibiting administrative access to sensitive data via the unauthenticated TCP port 12306.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a critical authentication bypass in a network-accessible service (TCP port 12306) allowing unauthenticated remote attackers to gain full administrative access to the server, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to the WorkExaminer server and therefore all…
more
sensitive monitoring data. This includes monitored screenshots and keystrokes of all users. The WorkExaminer Professional console is used for administrative access to the server. Before access to the console is granted administrators must login. Internally, a custom protocol is used to call a respective stored procedure on the MSSQL database. The return value of the call is not validated on the server-side. Instead it is only validated client-side which allows to bypass authentication.
Deeper analysisAI
CVE-2025-10640 affects the WorkExaminer server, specifically the Professional console used for administrative access, which listens on TCP port 12306. The vulnerability stems from missing server-side authentication checks, where a custom protocol calls a stored procedure on the MSSQL database, but the return value is validated only on the client side. This client-side enforcement (CWE-602) allows attackers to bypass the login prompt entirely. The issue was published on 2025-10-21 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated attacker with network access to TCP port 12306 can exploit this flaw remotely with low complexity and no user interaction required. Successful exploitation grants full administrative access to the WorkExaminer server, exposing all sensitive monitoring data, including screenshots and keystrokes captured from monitored users.
For details on mitigation, patches, or workarounds, refer to the advisories from SEC Consult at https://r.sec-consult.com/workexaminer and the Full Disclosure mailing list posting at http://seclists.org/fulldisclosure/2025/Oct/19.
Details
- CWE(s)