SecuriTricks - CVE-2025-10548

Description

The CleverControl employee monitoring software (v11.5.1041.6) fails to validate TLS server certificates during the installation process. The installer downloads and executes external components using curl.exe --insecure, enabling a man-in-the-middle attacker to deliver malicious files that are executed with SYSTEM privileges. This can lead to full remote code execution with administrative rights. No patch is available as the vendor has been unresponsive. It is assumed that previous versions are also affected, but this is not confirmed.

Product(s) Impacted

Vendor	Product	Versions
Clevercontrol	Clevercontrol Employee Monitoring Software	11.5.1041.6, *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	clevercontrol	clevercontrol_employee_monitoring_software	11.5.1041.6	/	/	/	/	/	/	/
a	clevercontrol	clevercontrol_employee_monitoring_software	/	/	/	/	/	/	/	/

References

https://r.sec-consult.com/clevercontrol

CVSS Score

6.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

View Vector String

Timeline

Published: Sept. 23, 2025, 7:15 a.m.
Last Modified: Sept. 24, 2025, 6:11 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

551230f0-3615-47bd-b7cc-93e92e730bbf

CVE-2025-10548