External risk intelligence

Worksnaps Client Hardcoded Cloud Credentials Disclosure

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2025-10560

Worksnaps client applications contain hardcoded cloud credentials, including AWS access keys and S3 bucket information. An attacker with access to the client binaries could extract these credentials to gain unauthorized access to sensitive production cloud resources, such as user desktop screenshots. The risk is contin

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

The vulnerability exists within client application binaries (the Worksnaps client). This is a client-side issue where the exposure is local to the machine on which the software is installed, rather than a network-reachable service, gateway, or public-facing endpoint.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability found in Worksnaps client applications that exposes hardcoded cloud credentials. These credentials, including AWS access keys and S3 bucket information, could allow unauthorized access to production cloud resources and sensitive user data. The main concern is confirming if these client applications are in use and exposed.

  • Hardcoded credentials found in client software.
  • Confirms if client software is in use.
  • Assess potential exposure of cloud resources.

Attack Path

How an attacker could exploit the issue

An attacker who gains access to the Worksnaps client application's binary files can extract hardcoded cloud credentials. These credentials, which include AWS access keys and S3 bucket information, were found to authenticate as the root identity for Worksnaps' production cloud resources. This exposure could allow an attacker to access sensitive data stored in Worksnaps' cloud storage, such as user desktop screenshots.

  • Access to client application binaries needed.
  • Extract hardcoded cloud credentials.
  • Access to sensitive cloud data.

Live Threat

Current exploitation, exposure, and threat context

Hardcoded cloud credentials within the Worksnaps client application binaries could expose sensitive production cloud resources. When supported by the advisory, an attacker with access to these binaries could extract credentials to access cloud resources, including S3 buckets containing user desktop screenshots.

  • Sensitive user and production cloud data.
  • Extraction of hardcoded credentials from binaries.
  • Unauthorized access to cloud resources and data.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Worksnaps client application contains hardcoded cloud credentials, posing a risk to production cloud resources. Identifying where this client is installed, confirming its reachability to sensitive data, and locating the accountable owner are the critical first steps. Remediation planning should then be based on the assessed risk and business criticality of affected resources.

  • Identify all Worksnaps client installations.
  • Verify reachability and business criticality.
  • Plan remediation based on exposure.

Supplementary metadata

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Worksnaps software mentioned in CVE-2025-10560?

Worksnaps is a productivity tool used to track work activity, often used in remote or distributed teams. The software includes client application binaries installed on user computers to capture data, such as desktop screenshots, which are then transmitted to cloud storage for review.

What does CWE-798 mean in the context of this vulnerability?

CWE-798 refers to the use of hardcoded credentials. In this CVE, it means that sensitive secrets—specifically AWS access keys—were embedded directly into the Worksnaps client software. Instead of using a secure, dynamic method for authentication, these keys were permanently written into the application's code, making them retrievable by anyone who inspects the binary files.

How are these hardcoded credentials triggered?

This vulnerability does not require complex remote network exploitation. An attacker simply needs access to the installed Worksnaps client binary files on a computer. Once they have these files, they can extract the secrets. It is not triggered by standard network traffic or typical user interaction with the application interface.

Is my organization at risk according to Halo Surface Signal?

Halo Surface Signal indicates that this risk is very unlikely to be an internet-facing threat. Because the vulnerability resides inside client-side software rather than a public web server or gateway, the primary exposure is local to the specific machines where the Worksnaps client is installed, rather than a broad network-reachable vulnerability.

What steps should I take if I use Worksnaps?

Begin by creating an inventory of all systems where the Worksnaps client is currently installed. Since the vulnerability is contained within the software itself, focus on identifying these endpoints and coordinating with your internal teams to update to the latest version of the client, which removes these hardcoded credentials.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished