TV-2025-1006

1. Summary

Command Injection and Privilege Escalation vulnerabilities were identified in TeamViewer DEX (former 1E DEX). These vulnerabilities affect both the SaaS solution and the On-premise installations.

The vulnerabilities have been fixed with new versions listed below.

At this time, there is no indication that these vulnerabilities have been exploited in the wild.

2. Vulnerability Details

2.1 Command Injection in DEX Instructions (non-interactive)

CVE-ID	CVE-2025-64986 CVE-2025-64987 CVE-2025-64988 CVE-2025-64989
Description	A command injection vulnerability was discovered in several Instructions in TeamViewer DEX (former 1E DEX). Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. The vulnerabilities have been fixed with updated versions listed below.
Affected Products	1E-Explorer-TachyonCore-DevicesListeningOnAPort 1E-Explorer-TachyonCore-CheckSimpleIoC 1E-Nomad-GetCmContentLocations 1E-Explorer-TachyonCore-FindFileBySizeAndHash
CVSS3.1 Score	Base Score 7.2 (High)
CVSS3.1 Vector String	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Problem type	CWE-20: Improper Input Validation

2.2 Command Injection in DEX Instructions (interactive)

CVE-ID	CVE-2025-64990 CVE-2025-64991 CVE-2025-64992 CVE-2025-64993
Description	A command injection vulnerability was discovered in several Instructions in TeamViewer DEX (former 1E DEX). Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. Exploitation requires the execution of a maliciously crafted instruction, which needs approval by a high privileged user other than the attacker. The vulnerabilities have been fixed with updated versions listed below.
Fixed Versions	1E-Explorer-TachyonCore-LogoffUser 1E-PatchInsights-Deploy 1E-Nomad-PauseNomadJobQueue 1E-ConfigMgrConsoleExtensions (several)
CVSS3.1 Score	Base Score 6.8 (Medium)
CVSS3.1 Vector String	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Problem type	CWE-20: Improper Input Validation

2.3 CVE-2025-46266

CVE-ID	CVE-2025-46266
Description	A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmitting data to an arbitrary internal IP address, potentially leaking sensitive information. To exploit this vulnerability, an attacker needs local network-level access. The vulnerability has been fixed with version 25.11. We recommend updating to the latest available version.
CVSS3.1 Score	Base Score 4.3 (Medium)
CVSS3.1 Vector String	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Problem type	CWE-20: Improper Input Validation
Affected Products	1E Client - NomadBranch.exe
Fixed Versions	1E Client 25.11.0.29

2.3 Privilege Escalation via Uncontrolled Search Path in 1E-Nomad-SetWorkRate

CVE-ID	CVE-2025-64994
Description	A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1. The improper handling of executable search paths could allow local attackers with write access to a PATH directory on a device to escalate privileges and execute arbitrary code as SYSTEM. The vulnerability has been fixed with updated versions listed below.
CVSS3.1 Score	Base Score 6.5 (Medium)
CVSS3.1 Vector String	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Problem type	CWE-427: Uncontrolled Search Path Element

2.3 Privilege Escalation via Process Hijacking in 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting

CVE-ID	CVE-2025-64995
Description	A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the local device allows attackers, with local access to the device during execution, to hijack the process and execute arbitrary code with SYSTEM privileges. The vulnerability has been fixed with updated versions listed below.
CVSS3.1 Score	Base Score 6.5 (Medium)
CVSS3.1 Vector String	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Problem type	CWE-427: Uncontrolled Search Path Element

3. Affected products & versions

Product	Version	Info
TeamViewer (1E) DEX Platform: SaaS	< 25.12	Some Instructions listed below must be updated manually via the Exchange.
TeamViewer (1E) Platform: On-Premise	All	To update instructions, customers should contact their responsible CSM

4. Solutions and mitigations

Update the below listed instruction as described. For SaaS customers, most instructions have been updated automatically with DEX platform version 25.12. On-Prem customers should contact their CSM for updates.

Instruction	Fixed Version	Mitigation: SaaS	Mitigation: On-prem
1E-Explorer-TachyonCore-DevicesListeningOnAPort	21	No action required	Update instruction
1E-Nomad-GetCmContentLocations	19.2	No action required	Update instruction
1E-Explorer-TachyonCore-LogoffUser	21.1	No action required	Update instruction
1E-Nomad-SetWorkRate	17.1	No action required	Update instruction
1E-PatchInsights-Deploy	15	No action required	Update instruction
1E-Exchange-NomadClientHealth-ConfigureGeneralSettings	3.4	Update instruction (via Exchange)	Update instruction (via Exchange)
1E-Nomad-PauseNomadJobQueue	25	No action required	Update instruction
1E-Explorer-TachyonCore-FindFileBySizeAndHash	21.1	No action required	Update instruction
1E Explorer-TachyonCore-CheckSimpleIoC	Discontinued	Delete from platform	Delete from platform
1E-ConfigMgrConsoleExtensions-StopConfigMgrClientService	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerApplicationDeploymentEvaluationCycle	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerClientHealthCheck	30	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerDiscoveryDataCollectionCycle	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerFileCollectionCycle	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerHardwareInventoryCycle	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerMachinePolicyRetrievalAndEvaluationCycle	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerSoftwareInventoryCycle	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerSoftwareMeteringUsageReportCycle	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerSoftwareUpdatesDeploymentEvaluationCycle	29	No action required	Update instruction
1E-ConfigMgrConsoleExtensions-TriggerSoftwareUpdatesScanCycle	29	No action required	Update instruction

If an immediate update is not possible, the following measures can reduce the risk of exploitation:

Restrict Actioner-level permissions to trusted operators and enforce least privilege. Remove Actioner rights where not strictly required.
Monitor logs and instruction execution history for anomalous parameter values or unexpected commandlike content.

5. Acknowledgments

We would like to thank the Lockheed Martin Red Team for the discovery and responsible disclosure.

Command Injection and Privilege Escalation vulnerabilities in Teamviewer DEX (former 1E DEX) Instructions

1. Summary

2. Vulnerability Details

3. Affected products & versions

4. Solutions and mitigations

5. Acknowledgments

Veuillez choisir votre région

RÉGION SUGGÉRÉE

Americas

Asia Pacific

Commonwealth of Independent States

Europe

Middle East Africa