1. Summary
Command Injection and Privilege Escalation vulnerabilities were identified in TeamViewer DEX (former 1E DEX). These vulnerabilities affect both the SaaS solution and the On-premise installations.
The vulnerabilities have been fixed with new versions listed below.
At this time, there is no indication that these vulnerabilities have been exploited in the wild.
2. Vulnerability Details
2.1 Command Injection in DEX Instructions (non-interactive)
|
CVE-ID |
|
|
Description |
A command injection vulnerability was discovered in several Instructions in TeamViewer DEX (former 1E DEX). Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform.
The vulnerabilities have been fixed with updated versions listed below. |
|
Affected Products |
|
|
CVSS3.1 Score |
Base Score 7.2 (High) |
|
CVSS3.1 Vector String |
|
|
Problem type |
2.2 Command Injection in DEX Instructions (interactive)
|
CVE-ID |
|
|
Description |
A command injection vulnerability was discovered in several Instructions in TeamViewer DEX (former 1E DEX). Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands.
Exploitation enables remote execution of elevated commands on devices connected to the platform. Exploitation requires the execution of a maliciously crafted instruction, which needs approval by a high privileged user other than the attacker.
The vulnerabilities have been fixed with updated versions listed below. |
|
Fixed Versions |
|
|
CVSS3.1 Score |
Base Score 6.8 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
2.3 CVE-2025-46266
|
CVE-ID |
|
|
Description |
A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmitting data to an arbitrary internal IP address, potentially leaking sensitive information.
To exploit this vulnerability, an attacker needs local network-level access.
The vulnerability has been fixed with version 25.11. We recommend updating to the latest available version. |
|
CVSS3.1 Score |
Base Score 4.3 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
|
|
Affected Products |
1E Client - NomadBranch.exe |
|
Fixed Versions |
1E Client 25.11.0.29 |
2.3 Privilege Escalation via Uncontrolled Search Path in 1E-Nomad-SetWorkRate
|
CVE-ID |
|
|
Description |
A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1. The improper handling of executable search paths could allow local attackers with write access to a PATH directory on a device to escalate privileges and execute arbitrary code as SYSTEM.
The vulnerability has been fixed with updated versions listed below. |
|
CVSS3.1 Score |
Base Score 6.5 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
2.3 Privilege Escalation via Process Hijacking in 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting
|
CVE-ID |
|
|
Description |
A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the local device allows attackers, with local access to the device during execution, to hijack the process and execute arbitrary code with SYSTEM privileges.
The vulnerability has been fixed with updated versions listed below. |
|
CVSS3.1 Score |
Base Score 6.5 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
3. Affected products & versions
|
Product
|
Version
|
Info
|
|---|---|---|
|
TeamViewer (1E) DEX Platform: SaaS |
< 25.12 |
Some Instructions listed below must be updated manually via the Exchange. |
|
TeamViewer (1E) Platform: On-Premise |
All |
To update instructions, customers should contact their responsible CSM |
4. Solutions and mitigations
Update the below listed instruction as described. For SaaS customers, most instructions have been updated automatically with DEX platform version 25.12. On-Prem customers should contact their CSM for updates.
|
Instruction
|
Fixed Version
|
Mitigation: SaaS
|
Mitigation: On-prem
|
|---|---|---|---|
|
1E-Explorer-TachyonCore-DevicesListeningOnAPort |
21 |
No action required |
Update instruction |
|
1E-Nomad-GetCmContentLocations |
19.2 |
No action required |
Update instruction |
|
1E-Explorer-TachyonCore-LogoffUser |
21.1 |
No action required |
Update instruction |
|
1E-Nomad-SetWorkRate |
17.1 |
No action required |
Update instruction |
|
1E-PatchInsights-Deploy |
15 |
No action required |
Update instruction |
|
1E-Exchange-NomadClientHealth-ConfigureGeneralSettings |
3.4 |
Update instruction (via Exchange) |
Update instruction (via Exchange) |
|
1E-Nomad-PauseNomadJobQueue |
25 |
No action required |
Update instruction |
|
1E-Explorer-TachyonCore-FindFileBySizeAndHash |
21.1 |
No action required |
Update instruction |
|
1E Explorer-TachyonCore-CheckSimpleIoC |
Discontinued |
Delete from platform |
Delete from platform |
|
1E-ConfigMgrConsoleExtensions-StopConfigMgrClientService |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerApplicationDeploymentEvaluationCycle |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerClientHealthCheck |
30 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerDiscoveryDataCollectionCycle |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerFileCollectionCycle |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerHardwareInventoryCycle |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerMachinePolicyRetrievalAndEvaluationCycle |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerSoftwareInventoryCycle |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerSoftwareMeteringUsageReportCycle |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerSoftwareUpdatesDeploymentEvaluationCycle |
29 |
No action required |
Update instruction |
|
1E-ConfigMgrConsoleExtensions-TriggerSoftwareUpdatesScanCycle |
29 |
No action required |
Update instruction |
If an immediate update is not possible, the following measures can reduce the risk of exploitation:
- Restrict Actioner-level permissions to trusted operators and enforce least privilege. Remove Actioner rights where not strictly required.
- Monitor logs and instruction execution history for anomalous parameter values or unexpected commandlike content.
5. Acknowledgments
We would like to thank the Lockheed Martin Red Team for the discovery and responsible disclosure.