CVE-2025-15559

CriticalRCE

Published: 19 February 2026

Published

19 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 46.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15559 is a critical-severity OS Command Injection (CWE-78) vulnerability in Nestersoft Worktime. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of the 'guid' parameter in the WorkTime server API to directly prevent OS command injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific command injection flaw in the WorkTime server API endpoint to eliminate the vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the WorkTime server process to restrict the impact of injected commands beyond NT Authority\SYSTEM privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated exploitation of a public-facing server API (T1190) via OS command injection, allowing arbitrary Windows command execution as SYSTEM (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an…

attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.

Deeper analysisAI

CVE-2025-15559 is an OS command injection vulnerability (CWE-78) affecting NesterSoft WorkTime, a time-tracking software. The issue resides in the server API endpoint responsible for generating and downloading the WorkTime client, where the "guid" parameter fails to properly sanitize input, enabling unauthenticated attackers to inject arbitrary OS commands on the WorkTime server.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows execution of arbitrary commands as NT Authority\SYSTEM with the highest privileges, granting attackers the ability to access or manipulate sensitive data and achieve full takeover of the WorkTime server.

Mitigation details are available in the SEC Consult advisory at https://r.sec-consult.com/worktime.