Improper TLS Certificate Validation in DeskTime Time Tracking App
CVE-2025-10539

Currently unrated

Key Information:

Vendor

Desktime

Status
Desktime Time Tracking App
Vendor
CVE Published:
28 April 2026

What is CVE-2025-10539?

The DeskTime Time Tracking App prior to version 1.3.674 suffers from improper validation of TLS certificates. Attackers who find themselves in the network path between a client and the update servers can exploit this vulnerability to inject a malicious executable in response to an update request. This can result in user-level remote code execution on the affected client, presenting significant security risks for users of the application.

Affected Version(s)

DeskTime Time Tracking App 0 < 1.3.674

References

https://r.sec-consult.com/desktime
third-party-advisory
https://desktime.com/download
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Daniel Hirschberger, SEC Consult Vulnerability Lab
Thorger Jansen, SEC Consult Vulnerability Lab
Tobias Niemann, SEC Consult Vulnerability Lab
Marius Renner, SEC Consult Vulnerability Lab
.