CVE-2025-64994
📋 TL;DR
A privilege escalation vulnerability in TeamViewer DEX (formerly 1E DEX) allows local attackers with write access to a PATH directory to execute arbitrary code with SYSTEM privileges. This affects organizations using vulnerable versions of TeamViewer DEX for endpoint management. Attackers must already have local access to the target system.
💻 Affected Systems
- TeamViewer DEX (formerly 1E DEX)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM compromise allowing complete control over the device, installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation leading to data exfiltration, installation of backdoors, or disabling security controls on individual endpoints.
If Mitigated
Limited impact due to restricted PATH directory write permissions and proper access controls preventing local attacker foothold.
🎯 Exploit Status
Requires local access and write permissions to PATH directory. No public exploit code known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V17.1 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX V17.1 or later from official sources. 2. Run the installer with administrative privileges. 3. Follow installation prompts. 4. Restart affected systems to complete the update.
🔧 Temporary Workarounds
Restrict PATH Directory Write Permissions
windowsRemove write permissions for non-administrative users from directories in the system PATH environment variable.
icacls "C:\Windows\System32" /deny Users:(OI)(CI)W
icacls "C:\Windows" /deny Users:(OI)(CI)W
Remove Unnecessary PATH Entries
windowsClean up system PATH variable to remove unnecessary directories that users might have write access to.
Control Panel > System > Advanced system settings > Environment Variables > Edit PATH
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from writing to PATH directories.
- Monitor for suspicious privilege escalation attempts and file creation in system directories.
🔍 How to Verify
Check if Vulnerable:
Check TeamViewer DEX version and verify if it's below V17.1. Also check if non-admin users have write access to any PATH directories.Check Version:
Check TeamViewer DEX version in Control Panel > Programs and Features or using the application interface.Verify Fix Applied:
Confirm TeamViewer DEX version is V17.1 or higher and verify PATH directory permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unexpected SYSTEM privilege processes spawned from TeamViewer DEX components
- File creation/modification in system PATH directories by non-admin users
- Security event logs showing privilege escalation
Network Indicators:
- Unusual outbound connections from systems running TeamViewer DEX
SIEM Query:
EventID=4688 AND ProcessName LIKE '%TeamViewer%' AND NewProcessName LIKE '%SYSTEM%'