CVE-2025-10639 identifies a critical security vulnerability in EfficientLab's WorkExaminer Professional server, specifically in versions up to 4.0.0.52001. The product includes an FTP server component that listens on TCP port 12304, intended to receive client logs. However, this FTP server uses hardcoded credentials, a classic CWE-798 weakness, which are weak and easily guessable or discoverable by an attacker with network access to the port. An attacker who successfully authenticates can read or modify log files and, more dangerously, replace service binaries located in the WorkExaminer installation directory (e.g., "C:\Program File (x86)\Work Examiner Professional Server"). This binary replacement enables remote code execution under the NT Authority\SYSTEM account, granting full control over the server. The vulnerability does not require user interaction beyond network access to the FTP port, and no authentication beyond the hardcoded credentials is needed. Although no public exploits are reported yet, the flaw's nature and privilege escalation potential make it a critical threat. The lack of a CVSS score necessitates a severity assessment based on the vulnerability's characteristics. The vulnerability affects all installations running vulnerable versions, and the absence of patches at the time of publication increases risk. The attack surface is limited to network access to the FTP port, but given that this port is used for log reception, it may be exposed in some network configurations. The vulnerability's exploitation could lead to full system compromise, data tampering, and persistence mechanisms for attackers.

For European organizations, this vulnerability presents a significant risk, especially for those relying on WorkExaminer Professional for employee monitoring and productivity tracking. Successful exploitation could lead to complete server compromise, allowing attackers to manipulate logs, hide malicious activity, and execute arbitrary code with SYSTEM privileges. This could result in data breaches, operational disruption, and potential lateral movement within corporate networks. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face heightened risks of regulatory penalties and reputational damage. The ability to modify logs also undermines forensic investigations and incident response efforts. Additionally, the vulnerability could be leveraged to establish persistent backdoors, complicating remediation. The threat is particularly acute if the FTP port is exposed beyond trusted internal networks or if network segmentation is insufficient. Given the criticality of the privilege escalation and ease of exploitation, the impact on confidentiality, integrity, and availability is severe.

European organizations should immediately audit their network configurations to identify any exposure of TCP port 12304 used by WorkExaminer Professional's FTP server. Network access to this port should be strictly limited to trusted hosts, ideally isolated within secure internal segments or VPNs. Since the vulnerability stems from hardcoded credentials, organizations should contact EfficientLab for patches or updated versions that remove or secure these credentials. In the absence of official patches, consider disabling the FTP service if log reception can be rerouted or handled differently. Implement file integrity monitoring on the WorkExaminer installation directory to detect unauthorized binary modifications. Employ network intrusion detection systems (NIDS) to monitor for suspicious FTP login attempts or unusual file transfers. Regularly review logs for anomalies and maintain strict access controls on servers running WorkExaminer. Additionally, conduct internal penetration testing to verify the effectiveness of mitigations. Finally, prepare incident response plans to quickly address any signs of compromise related to this vulnerability.