Vulnerability Summary: Missing TLS Certificate Validation leading to RCE (CVE-2025-10539) Vulnerability Overview CVE-2025-10539: Due to missing TLS certificate validation, an attacker can inject themselves into the network path between the client and the DeskTime update server, returning a malicious executable file in response to an update request, thereby achieving user-level code execution (RCE) on the client. Impact Scope Affected Version: 1.3.671 (latest version at time of testing) Trigger Condition: The updater runs automatically every hour, requiring no user interaction Remediation Fixed Version: v1.3.674 Release Date: 2026-04-28 Download URL: https://desktime.com/download Proof of Concept (POC) 1. Certificate Validation Code Snippet 2. Burp Suite Listener Settings 3. Burp DNS Override Settings 4. Update Request Example 5. Update Response Example 6. Burp Replacement Rule 7. Malicious Update File Replace with the updater; it will execute automatically when the client checks for updates.