CVE-2025-10560

June 18, 2026, 2:17 p.m.

9.3
Critical

Description

Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials authenticated as the AWS account root identity and provided access to Worksnaps production cloud resources, including S3 buckets containing sensitive data such as screenshots of user desktops. An attacker with access to the affected client binaries could extract or recover the credentials and use them to access affected Worksnaps cloud resources.

Product(s) Impacted

Vendor Product Versions
Worksnaps
  • Worksnaps
  • <1.6.20260201

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a worksnaps worksnaps <1.6.20260201 / / / / / / /

References

https://r.sec-consult.com/worksnaps
https://www.worksnaps.net/www/download.shtml

Tags

CWE-798
551230f0-3615-47bd-b7cc-93e92e730bbf
2026-06-18
CVE-2025-10560

CVSS Score

9.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 18, 2026, 1:25 p.m.
Last Modified: June 18, 2026, 2:17 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

551230f0-3615-47bd-b7cc-93e92e730bbf

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.