CVE-2025-10539

CVE-2025-10539: Improper TLS Certificate Validation RCE via Malicious Update in DeskTime Time Tracking App

Vendor Desktime
Product DeskTime Time Tracking App
Weakness CWE-295
Published April 28, 2026
Last update April 29, 2026

CVSS base score

What the vulnerability does

01Description

Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client.

Key dates

02Disclosure timeline

April 28, 2026 CVE published
April 29, 2026 Record updated