A critical vulnerability, identified as CVE-2025-10640, exists in WorkExaminer Professional, which allows an unauthenticated attacker to completely bypass the login mechanism. Successful exploitation grants an attacker full administrative access to the server over the network, potentially leading to unauthorized surveillance, data theft, and further compromise of the corporate network.

The vulnerability is an authentication bypass due to missing server-side authentication checks on the service listening on TCP port 12306. An unauthenticated attacker with network access to this port can send a specially crafted request to the WorkExaminer server. The server fails to properly validate the user's credentials, granting the attacker an authenticated session with administrative privileges, effectively bypassing the login prompt entirely.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe and direct impact on business operations and security. As WorkExaminer is an employee monitoring tool, an attacker gaining administrative control could access highly sensitive data, including keystrokes, application usage, screenshots, and private communications of all monitored employees. This could lead to a major data breach, significant privacy violations, reputational damage, and potential legal and regulatory penalties. Furthermore, a compromised WorkExaminer server could be used as a pivot point to attack other systems on the internal network or to deploy malware to managed endpoints.

Immediate Action: Immediately update all instances of WorkExaminer Professional to the latest version provided by the vendor to patch this vulnerability. After applying the update, review server and application logs for any signs of compromise that may have occurred prior to patching.

Proactive Monitoring:

• Network Logs: Monitor and alert on any connections to TCP port 12306 from untrusted or unexpected IP addresses.
• Application Logs: Review WorkExaminer logs for anomalous login events, especially those occurring outside of business hours or from unusual sources. Scrutinize all administrative actions for unauthorized configuration changes.
• Endpoint/Server Behavior: Monitor the WorkExaminer server for unusual outbound network connections, new running processes, or high resource utilization that could indicate a post-exploitation payload.

Compensating Controls: If patching cannot be performed immediately, implement the following controls:

• Firewall Rules: Strictly limit network access to TCP port 12306. Only allow connections from trusted IP addresses of system administrators or dedicated management workstations.
• Network Segmentation: Isolate the WorkExaminer server from critical network segments to limit an attacker's ability to move laterally if the server is compromised.

Public Exploit Available: false

This vulnerability represents a significant and immediate risk to any organization using the affected software. Due to the critical CVSS score of 9.8 and the ease of exploitation, immediate action is required. While this vulnerability is not currently on CISA's Known Exploited Vulnerabilities (KEV) catalog, its severity warrants an emergency patching cycle. Organizations are strongly advised to apply the vendor-supplied patch immediately. If patching is delayed, compensating controls, particularly strict network access restrictions to TCP port 12306, must be implemented as an urgent priority to mitigate the risk of a full system compromise.