2026-02-19 10:53:18
SEC-VLab
PUBLISHED
An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT AuthoritySYSTEM. A malicious executable must be named WTWatch.exe and dropped in the C:ProgramDatawtaClientExe directory, which is writable by "Everyone". The executable will then be run by the WorkTime monitoring daemon.