CVE-2025-64990
📋 TL;DR
A command injection vulnerability in TeamViewer DEX (formerly 1E DEX) allows authenticated attackers with Actioner privileges to execute arbitrary commands on connected devices. This enables remote code execution with elevated privileges on systems managed through the platform. Organizations using vulnerable versions of TeamViewer DEX are affected.
💻 Affected Systems
- TeamViewer DEX (formerly 1E DEX)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all connected devices, allowing attackers to deploy ransomware, steal sensitive data, or establish persistent backdoors across the entire managed environment.
Likely Case
Targeted compromise of specific devices for data exfiltration, lateral movement within the network, or deployment of malware on selected systems.
If Mitigated
Limited impact due to network segmentation, least privilege access controls, and comprehensive monitoring detecting anomalous command execution.
🎯 Exploit Status
Exploitation requires authenticated access but command injection vulnerabilities are typically straightforward to weaponize once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V21.1 and later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX version 21.1 or later from official sources. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected services/systems. 5. Verify successful update.
🔧 Temporary Workarounds
Restrict Actioner Privileges
allTemporarily reduce the number of users with Actioner privileges to only essential personnel.
Network Segmentation
allIsolate TeamViewer DEX management traffic from production systems using firewalls or network segmentation.
🧯 If You Can't Patch
- Implement strict input validation and command sanitization at the application layer
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious command execution
🔍 How to Verify
Check if Vulnerable:
Check TeamViewer DEX version in administration console; versions below 21.1 are vulnerable.Check Version:
Check via TeamViewer DEX administration interface or consult vendor documentation for CLI version check.Verify Fix Applied:
Confirm version is 21.1 or higher in administration console and verify the 1E-Explorer-TachyonCore-LogoffUser instruction has proper input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns via 1E-Explorer-TachyonCore-LogoffUser
- Multiple failed authentication attempts followed by successful Actioner login
- Suspicious command strings in DEX execution logs
Network Indicators:
- Anomalous outbound connections from DEX-managed devices
- Unexpected network traffic patterns from DEX servers
SIEM Query:
source="teamviewer_dex" AND (event="command_execution" AND command="*;*" OR command="*|*" OR command="*&*" OR command="*`*")