Cyber Resilience

CVE-2025-15561

HighLPE

Published: 19 February 2026

Published
19 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15561 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Nestersoft Worktime. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-34 (Non-modifiable Executable Programs).

Deeper analysis

CVE-2025-15561 is a privilege escalation vulnerability (CVSS 7.8, CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) in the update behavior of the WorkTime monitoring daemon, associated with CWE-269 (Improper Privilege Management). The flaw enables an attacker to achieve local privilege escalation to NT Authority\SYSTEM by exploiting a directory writable by Everyone.

A low-privileged local attacker can exploit this vulnerability by dropping a malicious executable named WTWatch.exe into the C:\ProgramData\wta\ClientExe directory. The WorkTime monitoring daemon subsequently executes this file with SYSTEM privileges, granting the attacker full control over the local system, including high confidentiality, integrity, and availability impacts.

For mitigation details, refer to the advisory published by SEC Consult at https://r.sec-consult.com/worktime.

EU & UK References

Vulnerability details

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone".…

more

The executable will then be run by the WorkTime monitoring daemon.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE describes local privilege escalation via malicious executable placement in a world-writable directory executed by a SYSTEM-privileged daemon (CWE-269).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15559Same product: Nestersoft Worktime
CVE-2025-15560Same product: Nestersoft Worktime
CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269
CVE-2025-36640Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2024-47770Shared CWE-269

Affected Assets

nestersoft
worktime
≤ 11.8.8 · ≤ 11.8.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent low-privileged local attackers from writing malicious executables to the Everyone-writable C:\ProgramData\wta\ClientExe directory exploited by the WorkTime daemon.

prevent

Requires executables to be run only from non-modifiable storage locations, directly blocking the daemon's execution of WTWatch.exe from the writable directory.

prevent

Mandates integrity verification of software prior to execution, preventing the daemon from running unverified or malicious WTWatch.exe with SYSTEM privileges.

References