Cyber Posture

CVE-2025-15561

HighLPE

Published: 19 February 2026

Published
19 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15561 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Nestersoft Worktime. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-34 (Non-modifiable Executable Programs).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

Enforces least privilege to prevent low-privileged local attackers from writing malicious executables to the Everyone-writable C:\ProgramData\wta\ClientExe directory exploited by the WorkTime daemon.

SC-34 Non-modifiable Executable Programs good match
prevent

Requires executables to be run only from non-modifiable storage locations, directly blocking the daemon's execution of WTWatch.exe from the writable directory.

SI-7 Software, Firmware, and Information Integrity good match
prevent

Mandates integrity verification of software prior to execution, preventing the daemon from running unverified or malicious WTWatch.exe with SYSTEM privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

CVE describes local privilege escalation via malicious executable placement in a world-writable directory executed by a SYSTEM-privileged daemon (CWE-269).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone".…

more

The executable will then be run by the WorkTime monitoring daemon.

Deeper analysisAI

CVE-2025-15561 is a privilege escalation vulnerability (CVSS 7.8, CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) in the update behavior of the WorkTime monitoring daemon, associated with CWE-269 (Improper Privilege Management). The flaw enables an attacker to achieve local privilege escalation to NT Authority\SYSTEM by exploiting a directory writable by Everyone.

A low-privileged local attacker can exploit this vulnerability by dropping a malicious executable named WTWatch.exe into the C:\ProgramData\wta\ClientExe directory. The WorkTime monitoring daemon subsequently executes this file with SYSTEM privileges, granting the attacker full control over the local system, including high confidentiality, integrity, and availability impacts.

For mitigation details, refer to the advisory published by SEC Consult at https://r.sec-consult.com/worktime.

Details

CWE(s)
CWE-269NVD-CWE-noinfo

Affected Products

nestersoft
worktime
≤ 11.8.8 · ≤ 11.8.8

CVEs Like This One

CVE-2025-15560Same product: Nestersoft Worktime
CVE-2025-15559Same product: Nestersoft Worktime
CVE-2026-2777Shared CWE-269
CVE-2025-48613Shared CWE-269
CVE-2026-35595Shared CWE-269
CVE-2025-64487Shared CWE-269
CVE-2025-67905Shared CWE-269
CVE-2024-13376Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2025-37186Shared CWE-269

References