CVE-2025-15561 is a vulnerability classified under CWE-269 (Improper Privilege Management) affecting NesterSoft Inc.'s WorkTime software, both on-premises and cloud versions up to 11.8.8. The vulnerability stems from the WorkTime monitoring daemon's update mechanism, which automatically executes an executable named WTWatch.exe located in the directory C:\ProgramData\wta\ClientExe. This directory is writable by the Everyone group, meaning any local user can place files there. By dropping a malicious WTWatch.exe into this directory, an attacker with local write access can cause the daemon to execute their code with NT Authority\SYSTEM privileges, effectively escalating their privileges to the highest level on the Windows system. The CVSS v3.1 score is 7.8 (high), reflecting the ease of exploitation (local access with low privileges, no user interaction), and the significant impact on confidentiality, integrity, and availability. The vulnerability does not require user interaction but does require local access and the ability to write to the specified directory. No patches or official fixes have been published yet, and no known exploits have been reported in the wild. This vulnerability is critical for environments where WorkTime is deployed and where local user accounts may be untrusted or shared. The issue highlights a failure in secure update and execution practices, specifically the lack of proper access control on directories used by privileged processes.

The impact of CVE-2025-15561 is severe for organizations using WorkTime software, as it allows an attacker with minimal local privileges to gain full SYSTEM-level control over affected Windows hosts. This can lead to complete compromise of the system, including unauthorized access to sensitive data, installation of persistent malware, disabling security controls, and lateral movement within networks. Since WorkTime is used for employee monitoring and productivity tracking, attackers could also manipulate or erase logs and monitoring data, undermining organizational oversight. The vulnerability threatens confidentiality, integrity, and availability of systems and data. In environments with multiple users or where endpoint security is lax, this vulnerability could be exploited by insider threats or malware that gains limited local access. The lack of patches increases the risk window, and the writable directory by Everyone indicates poor default security posture. Organizations relying on WorkTime for compliance or operational monitoring may face regulatory and operational risks if exploited.

Until an official patch is released, organizations should immediately restrict write permissions on the C:\ProgramData\wta\ClientExe directory to trusted system accounts only, removing 'Everyone' write access. Implement strict file integrity monitoring on this directory to detect any unauthorized creation or modification of WTWatch.exe. Employ application whitelisting to prevent execution of unauthorized binaries by the WorkTime daemon. Limit local user privileges to the minimum necessary and audit local accounts for unnecessary write permissions. Consider isolating or sandboxing the WorkTime daemon process if possible. Monitor system and security logs for suspicious activity related to WTWatch.exe execution. Engage with NesterSoft Inc. for updates and apply patches promptly once available. Additionally, conduct internal awareness training to prevent insider misuse and review endpoint security policies to reduce risk of local privilege escalation.