CVE-2025-36537
📋 TL;DR
This vulnerability allows a local unprivileged user on Windows systems to delete arbitrary files with SYSTEM privileges by exploiting the MSI rollback mechanism in TeamViewer's Remote Management features. It affects TeamViewer Remote and Tensor versions prior to 15.67. Only users with local access to systems running vulnerable TeamViewer installations are affected.
💻 Affected Systems
- TeamViewer Remote
- TeamViewer Tensor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could delete critical system files, causing system instability, data loss, or complete system compromise by removing security controls or configuration files.
Likely Case
Local users could delete important files for disruption or data destruction, potentially affecting business operations or causing service outages.
If Mitigated
With proper access controls and monitoring, impact would be limited to isolated incidents that could be quickly detected and contained.
🎯 Exploit Status
Requires local access and knowledge of MSI rollback mechanism exploitation. The vulnerability leverages Windows Installer rollback functionality to perform privileged file operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.67
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1002/
Restart Required: Yes
Instructions:
1. Download TeamViewer version 15.67 or later from the official website. 2. Run the installer with administrative privileges. 3. Follow the installation wizard. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Disable Remote Management Features
windowsTemporarily disable the vulnerable Remote Management features (Backup, Monitoring, Patch Management) until patching is possible.
Open TeamViewer → Extras → Options → Advanced → Show advanced options → Disable 'Backup', 'Monitoring', and 'Patch Management' features
Restrict Local User Access
windowsImplement strict local user access controls to prevent unauthorized users from accessing systems with vulnerable TeamViewer installations.
🧯 If You Can't Patch
- Implement strict principle of least privilege for local user accounts
- Enable detailed auditing and monitoring for file deletion events on systems with TeamViewer installed
🔍 How to Verify
Check if Vulnerable:
Check TeamViewer version in the application (Help → About TeamViewer) and verify if it's below 15.67.Check Version:
wmic product where name='TeamViewer' get versionVerify Fix Applied:
After updating, verify the version is 15.67 or higher in Help → About TeamViewer.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected file deletions by SYSTEM account
- TeamViewer service logs showing abnormal MSI rollback operations
- Security logs showing privilege escalation attempts
Network Indicators:
- No network indicators - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectType='File' AND SubjectUserName='SYSTEM' AND ProcessName contains 'TeamViewer'