Unrated

Hardcoded Cloud Credentials in Worksnaps Client Binaries

IdentifiersCVE-2025-10560CWE-798

CVE-2025-10560 is a critical vulnerability in Worksnaps client applications before version 1.6.20260201 caused by hardcoded cloud credentials and related secret material embedded in client binaries. According to the provided advisory content, affected binaries contained AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials authenticated as the AWS account root identity and provided access to Worksnaps production cloud resources. The advisory further states that an attacker with access to the affected binaries could extract or recover these credentials and use them to access production resources, including S3 buckets containing sensitive data such as screenshots of user desktops. Supporting analysis also indicates that multiple binaries exposed credential material and that later testing found additional credential exposure patterns, including decryptable credentials delivered to the client during login, before vendor-side fixes were completed.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation exposes sensitive cloud credentials that can be used to access Worksnaps production cloud resources. Based on the provided content, this included the ability to authenticate to AWS with highly privileged credentials, enumerate cloud assets such as S3 buckets and EC2 instances, and access sensitive data stored in S3, including screenshots of user desktops. The supplied facts also indicate high confidentiality, integrity, and availability impact, meaning compromise could enable data theft, unauthorized modification or deletion of cloud-hosted data, and disruption of affected cloud resources.

Mitigation

If you can’t patch tonight, do this now.

No complete workaround is described in the advisory content. Until remediation is fully applied, organizations should minimize distribution and use of affected Worksnaps client binaries, revoke and rotate exposed cloud credentials, monitor AWS account activity and S3 access for unauthorized use, restrict permissions on cloud identities and buckets, and reduce exposure of sensitive cloud resources. Where possible, disable or block legacy application behavior that returns reusable cloud credentials to clients.

Remediation

Patch, then assume compromise.

Upgrade Worksnaps to version 1.6.20260201 or later, which is identified in the provided content as the fixed release. In addition, immediately revoke and rotate all exposed cloud credentials and related secrets, including any AWS keys and other embedded cloud access material. Review and remove or further protect sensitive data stored in accessible S3 buckets, and validate that legacy API paths no longer return decryptable credential material to clients.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

WorksnapsWorksnapsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cvefeed high severityNews

Jun 18, 2026

CVE-2025-10560 - Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources

A critical vulnerability in the Worksnaps client application where hardcoded AWS cloud credentials embedded in client binaries could be extracted and used to access Worksnaps production cloud resources, including sensitive S3 bucket data.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-10560

NVD

nvd.nist.gov/vuln/detail/CVE-2025-10560

MITRE CWE · CWE-798

cwe.mitre.org