CISA Vulnerability Bulletin SB26-125: DeskTime TLS Flaw Could Give Attackers Control of Your Team's Computers

Published: May 5, 2026

Source: CISA Vulnerability Bulletin SB26-125 — Vulnerability Summary for the Week of April 27, 2026

Original Article: https://www.cisa.gov/news-events/bulletins/sb26-125

Plain-English Summary: What Happened

On May 5, 2026, CISA published Vulnerability Bulletin SB26-125, covering the week of April 27, 2026. Among the 25+ vulnerabilities documented in that bulletin, one stands out as an immediate, real-world threat to Texas small and medium businesses: CVE-2025-10539 — a flawed TLS certificate validation in the DeskTime Time Tracking App that allows a man-in-the-middle attacker to execute arbitrary code on any employee's computer.

Here's how it works in practice:

DeskTime is an automatic time-tracking tool installed on employees' computers that periodically checks for software updates over HTTPS. The vulnerability is dead simple: when the app verifies the update server's TLS certificate, it has a logic flaw that essentially says "the certificate is valid as long as it's signed for the right hostname, even if the certificate chain is broken, self-signed, expired, or otherwise fraudulent."

In layman's terms: any attacker sitting between a Texas SMB's network and the internet can pretend to be DeskTime's update server, push a malicious installer, and get it automatically installed on every employee's computer — without anyone clicking anything.

SEC Consult discovered this flaw and initially reported that the vendor had no patch and no timeline to deliver one. By April 28, the vendor (DeskTime) did release patched version 1.3.674, but the window between discovery and patch was zero-day territory for anyone caught in that gap.

The exploitation requires the attacker to be in the network path — meaning anyone with access to your office Wi-Fi, any compromised router, an untrusted VPN connection, or the ability to perform a localized MITM attack (like Evil Twin Wi-Fi) could use this.

Which Texas SMBs Are at Risk Right Now

DeskTime is widely used by SMBs. It's marketed as "a time tracker that won't interrupt your team's workflow" and is positioned specifically at the small business / hybrid work management space.

Who's most exposed:

• Remote-first and hybrid work SMBs — Any business with 5-200 employees that uses DeskTime for time tracking, productivity monitoring, or payroll.
• Construction and trades companies — Many use time tracking for field workers, project billing, and compliance.
• Legal and accounting firms — These practices rely heavily on accurate time tracking for billing.
• Healthcare organizations — Small to mid-size clinics, dental offices, and therapy practices that track staff hours.
• Any business on shared or public Wi-Fi — Contractors working from coffee shops, co-working spaces, or job sites.

What a Texas SMB Should Do This Week

Immediate Actions (Do Today)

1. Verify your DeskTime version: Check that all installations are on v1.3.674 or later.
2. Update every endpoint: Force DeskTime to update on all employee machines, including remote and field workers.
3. Review network logs: Look for any signs of MITM activity on your office Wi-Fi in the past 7 days.

This Week

1. Audit all time-tracking tools: Are there other SMB-relevant SaaS tools with known TLS flaws?
2. Review VPN policies: Ensure all remote workers connect through your corporate VPN, not public Wi-Fi.
3. Scan for anomalies: Watch for unexpected processes or network connections from time-tracking applications.

Connection to CYFORi Services

At CYFORi, we regularly help Texas SMBs with:

• vCISO services — Proactive vulnerability management and patch strategy for your entire organization.
• Incident Response — If you suspect a DeskTime-related compromise, our DFIR team can contain and investigate within hours.
• Compliance assessments — Ensuring your cybersecurity posture meets Texas SB2610 and HIPAA requirements.
• Endpoint Protection — Deploying next-gen EDR that detects MITM-based attacks at the endpoint level.