CVE-2025-46266
📋 TL;DR
This vulnerability in TeamViewer DEX Client's Content Distribution Service allows attackers to redirect the service to send data to arbitrary internal IP addresses, potentially exposing sensitive information. It affects Windows systems running TeamViewer DEX Client (formerly 1E Client) versions prior to 25.11. The risk is primarily internal to networks where the service operates.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sensitive configuration data, credentials, or deployment information could be exfiltrated to attacker-controlled internal systems, enabling lateral movement or further attacks.
Likely Case
Limited information disclosure of service configuration or deployment data to internal systems, potentially revealing network topology or service details.
If Mitigated
With proper network segmentation and access controls, impact is limited to non-sensitive data or prevented entirely.
🎯 Exploit Status
Requires internal network access and ability to interact with the service. No public exploit code is available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.11 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 25.11 or later from official sources. 2. Install the update following standard deployment procedures. 3. Restart affected systems to ensure the updated service is running.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict network access to the Content Distribution Service to only necessary systems using firewall rules.
Service Hardening
windowsConfigure the service to run with minimal privileges and restrict its network communication capabilities.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Content Distribution Service from untrusted systems
- Monitor network traffic from NomadBranch.exe for unusual destination IP addresses
🔍 How to Verify
Check if Vulnerable:
Check the version of TeamViewer DEX Client installed. Versions below 25.11 are vulnerable.Check Version:
Check TeamViewer DEX Client version in Control Panel > Programs and Features or via the application interfaceVerify Fix Applied:
Verify that TeamViewer DEX Client version is 25.11 or higher and that NomadBranch.exe service is running the updated version.📡 Detection & Monitoring
Log Indicators:
- Unusual network connections from NomadBranch.exe
- Service restart events for TeamViewer DEX components
Network Indicators:
- Unexpected outbound connections from NomadBranch.exe to internal IP addresses
- Unusual data transfers from the Content Distribution Service
SIEM Query:
source="NomadBranch.exe" AND (dest_ip NOT IN [expected_ip_range])