SEC Consult Vulnerability Lab Security Advisory < 20251021-0 >
=======================================================================
title: Multiple Vulnerabilities
product: EfficientLab WorkExaminer Professional
vulnerable version: <= 4.0.0.52001
fixed version: -
CVE number: CVE-2025-10639, CVE-2025-10640, CVE-2025-10641
impact: Critical
homepage: https://www.workexaminer.com
found: 2025-05-26
by: Tobias Niemann (Office Bochum)
Daniel Hirschberger (Office Bochum)
Thorger Jansen (Office Bochum)
Marius Renner (Office Berlin)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Work Examiner Professional is a solution that will help you to perform a
qualitative
analysis of the usage of worktime and find the points where the efficiency of
the
personnel increases. Work Examiner Professional every manager will know how the
employees' time is spent. Thus, the system shows the bottom-up pattern of the
usage of
the company's time on all the necessary control levels
(division->section->department)."
Source: https://www.workexaminer.com/products/professional.html
Business recommendation:
------------------------
The vendor responded to the submission of our security vulnerabilities by
stating
that they are not within the scope of their bug bounty program. After telling
them
that we do not care about the bug bounty but a fix for the issues, we did not
receive any further response.
Hence, there is no fix available for the identified security issues and we
assume
that this product is unmaintained. We urge customers to contact EfficientLab
regarding the issues and a potential solution, such as using another product.
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
1) Usage of Hardcoded FTP Credentials (FTP Access and RCE) (CVE-2025-10639)
An unauthenticated attacker with network access to port 12304 of the
WorkExaminer
server can use weak hardcoded credentials to login to the WorkExaminer FTP
server
and use the access to modify or read data, log files and gain remote code
execution
as NT Authority\SYSTEM on the server.
2) Missing Server-Side Authentication Checks (CVE-2025-10640)
An unauthenticated attacker with access to port 12306 of the WorkExaminer server
can exploit missing server-side authentication checks to bypass the login prompt
in the WorkExaminer Professional console to gain administrative access to
the WorkExaminer server and therefore all monitoring data. This includes
monitored
screenshots and keystrokes of all users!
3) Unencrypted Communications (CVE-2025-10641)
All WorkExaminer Professional traffic between monitoring client, console and
server
is transmitted as plain text. This allows an attacker with access to the network
to read the transmitted sensitive data. An attacker can also freely modify the
data
on the wire.
Proof of concept:
-----------------
1) Usage of Hardcoded FTP Credentials (FTP Access and RCE) (CVE-2025-10639)
The WorkExaminer Professional server installation comes with an FTP
server that is used to receive the client logs. Weak hardcoded
credentials can be used to access the FTP server on port 12304 via
the network.
<FTP_access.png>
The attacker can then proceed to modify data or read any of the data stored
in the WorkExaminer installation directory (e.g.
"C:\Program File (x86)\Work Examiner Professional Server").
In addition it is possible to rename and overwrite one of the WorkExaminer
service
binaries to gain code execution on the WorkExaminer server as NT
Authority\SYSTEM.
<service_binaries.png>
A Windows firewall exception is automatically created during the installation.
<firewall_exception.png>
2) Missing Server-Side Authentication Checks (CVE-2025-10640)
The WorkExaminer Professional console is used for administrative access to the
server. Before access to the console is granted administrators must login.
Internally a custom protocol is used to call a respective stored procedure on
the
MSSQL database. For general authentication the following procedure is called
with the entered login name and password:
--------------------------------------------------------------------------------
PROCEDURE [dbo].[we_Logins_AuthenticateSqlLogin]
@LoginName nvarchar(256),
@Password nvarchar(128),
@Result int OUTPUT
BEGIN
IF NOT EXISTS (SELECT LoginName FROM we_Logins WHERE @LoginName =
LoginName)
RETURN (-1)
DECLARE @PasswordHash varbinary(128)
SELECT @PasswordHash = PasswordHash FROM we_Logins WHERE @LoginName =
LoginName
SELECT @Result = PWDCOMPARE(@Password, @PasswordHash)
END
--------------------------------------------------------------------------------
However the return value of the call is not validated on the server-side.
Instead it is only validated client-side. A quick authentication bypass can
therefore
be achieved by toggling the return value in the server response, when entering
wrong
credentials. For this proof of concept the global admin account "admin" was
used.
<login_window.png>
The highlighted byte in the server response is set from 0 to 1.
<server_response_toggle.png>
The client now assumes that the authentication has succeeded and access is
granted:
<login_bypassed.png>
It is also possible to completely patch the login from the client. This can
easily be
achieved by replacing the selected instructions with nops:
<x64dbg.png>
The modified client bypasses the login regardless of the entered password:
If AD authentication is chosen during the login, the following procedure is
called:
--------------------------------------------------------------------------------
PROCEDURE [dbo].[we_Logins_GetLoginByName]
@LoginName nvarchar(256)
BEGIN
SELECT
LoginId,
LoginName,
Reports,
Menus,
AuthenticationType,
IsAdmin
FROM dbo.we_Logins
WHERE @LoginName = LoginName
END
--------------------------------------------------------------------------------
In this case the return value must be replaced with the respective expected
values.
3) Unencrypted Communications (CVE-2025-10641)
The monitoring clients transmit their data to the server using the unencrypted
FTP.
Clients connect to the FTP server on port 12304 and transmit the data
unencrypted:
<ftp_unencrypted.png>
In addition, all traffic between the console client and the server at port 12306
is unencrypted. The following screenshot shows keystrokes that are retrieved via
the console:
<unencrypted_console.png>
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* WorkExaminer Professional 4.0.0.52001
Vendor contact timeline:
------------------------
2025-07-09: Initial mail to the vendor (support@xxxxxxxxxxxxxxxx); no response.
2025-08-22: Sent reminder mail; no response.
2025-09-16: Submitting support ticket via
https://kb.controlio.net/hc/en-us/requests/new
for another advisory and including information about this one.
Vendor assigns ticket #14957, support agent forwards request to
relevant
department.
EfficientLab answers that there is a bug bounty page to submit
security
advisories at https://controlio.net/bug-bounty.html
2025-09-17: Submitting advisory, ticket #14997 was assigned for this advisory.
2025-10-15: Vendor responds that our submission is not eligible for bug bounty
(out
of scope).
2025-10-16: Telling vendor that we don't care about the bug bounty but secure
software.
Asking if a fix is being developed or not. Setting date of
disclosure for
21st October. No response.
2025-10-21: Public release of advisory.
Solution:
---------
The vendor responded to the submission of our security vulnerabilities by
stating
that they are not within the scope of their bug bounty program. After telling
them
that we do not care about the bug bounty but a fix for the issues, we did not
receive any further response.
Hence, there is no fix available for the identified security issues and we
assume
that this product is unmaintained. We urge customers to contact EfficientLab
regarding the issues and a potential solution, such as using another product.
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://x.com/sec_consult
EOF Tobias Niemann, Daniel Hirschberger, Thorger Jansen, Marius Renner / @2025
Attachment:
sec-consult-c-firewall_exception.png
Description: PNG image
Attachment:
sec-consult-c-FTP_access.png
Description: PNG image
Attachment:
sec-consult-c-ftp_unencrypted.png
Description: PNG image
Attachment:
sec-consult-c-login_bypassed.png
Description: PNG image
Attachment:
sec-consult-c-login_window.png
Description: PNG image
Attachment:
sec-consult-c-server_response_toggle.png
Description: PNG image
Attachment:
sec-consult-c-service_binaries.png
Description: PNG image
Attachment:
sec-consult-c-unencrypted_console.png
Description: PNG image
Attachment:
sec-consult-c-x64_dbg.png
Description: PNG image
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
