CVE-2025-10639 is a critical vulnerability affecting EfficientLab's WorkExaminer Professional server installations up to version 4.0.0.52001. The product includes an embedded FTP server listening on TCP port 12304, designed to receive client logs. This FTP server uses hardcoded, weak credentials (CWE-798), which an attacker with network access can exploit to authenticate without authorization. Once authenticated, the attacker can read and modify sensitive log files and, more critically, replace service binaries located in the WorkExaminer installation directory (e.g., "C:\Program File (x86)\Work Examiner Professional Server"). By swapping these binaries, the attacker can execute arbitrary code remotely with NT Authority\SYSTEM privileges, effectively gaining full control over the server. The vulnerability requires network access to the FTP port but no user interaction, and privileges needed are low since authentication is bypassed via hardcoded credentials. The CVSS 3.1 score of 8.8 reflects the ease of exploitation (low attack complexity), no user interaction, and the severe impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the potential for full system compromise. The root cause is the insecure design choice of embedding hardcoded credentials in a network-facing service, violating secure credential management best practices.

For European organizations, this vulnerability presents a severe risk, especially for those using WorkExaminer Professional for employee monitoring and productivity tracking. Successful exploitation allows attackers to gain SYSTEM-level access, leading to complete compromise of the affected server. This can result in unauthorized access to sensitive employee data, tampering with logs that could be used for auditing or compliance, and potential lateral movement within the corporate network. The ability to execute arbitrary code with high privileges can also facilitate deployment of ransomware, espionage tools, or persistent backdoors. Given the criticality of the access level and the potential to disrupt business operations, organizations face risks to confidentiality, integrity, and availability of their IT systems. Additionally, compromised monitoring systems may undermine trust and violate privacy regulations such as GDPR, leading to legal and reputational damage.

Organizations should immediately identify any WorkExaminer Professional servers running versions up to 4.0.0.52001 and assess exposure of TCP port 12304. Network segmentation and firewall rules should be applied to restrict access to this port only to trusted internal hosts. If possible, disable the embedded FTP server or replace it with a secure alternative that does not use hardcoded credentials. EfficientLab should be contacted for patches or updates that remove hardcoded credentials; if no patch is available, consider upgrading to a newer version or alternative products. Monitoring and alerting on unexpected FTP connections and file changes in the WorkExaminer installation directory can help detect exploitation attempts. Employing application whitelisting and integrity monitoring on the server can prevent unauthorized binary modifications. Finally, conduct regular audits of user access and network configurations to reduce the attack surface.