CVE-2025-15559

CVE-2025-15559: Unauthenticated OS Command Injection in NesterSoft WorkTime

Vendor Nestersoft Inc.

Product WorkTime (on-prem/cloud)

Weakness CWE-78

Published February 19, 2026

Last update February 23, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.

Key dates

02Disclosure timeline

February 19, 2026 CVE published

February 23, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-15559 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2025-15559: Unauthenticated OS Command Injection in NesterSoft WorkTime

01Description

02Disclosure timeline

03References

04Related CVE