CVE-2025-12687
📋 TL;DR
A vulnerability in TeamViewer DEX Client's Content Distribution Service (NomadBranch.exe) allows attackers to crash the service via specially crafted commands, causing denial of service. This affects Windows systems running TeamViewer DEX Client versions before 25.11. Organizations using this software for remote management and content distribution are impacted.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client) - Content Distribution Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Critical systems relying on TeamViewer DEX Client for remote management become unavailable, disrupting IT operations and potentially affecting business continuity.
Likely Case
Service disruption requiring manual restart of the TeamViewer DEX Client service, causing temporary loss of remote management capabilities.
If Mitigated
Minimal impact with quick service recovery if monitoring detects the crash and automated restart mechanisms are in place.
🎯 Exploit Status
The vulnerability allows unauthenticated exploitation via crafted commands, suggesting relatively simple exploitation once the command format is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.11 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 25.11 or later from official sources. 2. Install the update following standard deployment procedures. 3. Restart affected systems or services to ensure the new version is active.
🔧 Temporary Workarounds
Restrict network access to NomadBranch service
windowsLimit network connections to the NomadBranch.exe service using firewall rules to reduce attack surface.
New-NetFirewallRule -DisplayName "Block NomadBranch External" -Direction Inbound -Program "C:\Program Files\TeamViewer\NomadBranch.exe" -Action Block
Implement service monitoring and auto-restart
windowsConfigure monitoring to detect service crashes and automatically restart the NomadBranch service.
sc failure "TeamViewer DEX Content Distribution" reset= 86400 actions= restart/5000
🧯 If You Can't Patch
- Segment network to isolate systems running vulnerable TeamViewer DEX Client versions
- Implement strict network monitoring for unusual traffic patterns to NomadBranch service ports
🔍 How to Verify
Check if Vulnerable:
Check the version of TeamViewer DEX Client installed. If version is below 25.11, the system is vulnerable.Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*TeamViewer DEX*"} | Select-Object Name, VersionVerify Fix Applied:
Confirm that TeamViewer DEX Client version is 25.11 or higher and that the NomadBranch.exe service is running without crashes.📡 Detection & Monitoring
Log Indicators:
- Application crash logs for NomadBranch.exe
- Windows Event Logs showing service termination (Event ID 7034)
Network Indicators:
- Unusual network traffic to NomadBranch service ports
- Multiple connection attempts with malformed data
SIEM Query:
EventID=7034 AND ServiceName="TeamViewer DEX Content Distribution" OR SourceName="Application Error" AND ProcessName="NomadBranch.exe"