CVE-2025-64995
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in TeamViewer DEX (formerly 1E DEX) where attackers with local access during execution can hijack the process and execute arbitrary code with SYSTEM privileges. It affects systems running vulnerable versions of the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction. Organizations using TeamViewer DEX for remote management are primarily affected.
💻 Affected Systems
- TeamViewer DEX (formerly 1E DEX)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full SYSTEM privileges on affected devices, enabling complete system compromise, data theft, lateral movement, and persistence establishment.
Likely Case
Malicious insiders or attackers with initial foothold escalate privileges to SYSTEM to bypass security controls and install malware.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems with rapid detection and containment.
🎯 Exploit Status
Exploitation requires local access during execution, making it accessible to attackers with initial foothold. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V3.4 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX V3.4 or later from official TeamViewer sources.
2. Install the update following vendor instructions.
3. Restart affected systems to ensure the patch is fully applied.
4. Verify the update was successful using version checking methods.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local access to devices running TeamViewer DEX to trusted personnel only
Monitor execution
windowsImplement monitoring for execution of the vulnerable instruction and related processes
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit who can execute the vulnerable component.
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts and suspicious process behavior.
🔍 How to Verify
Check if Vulnerable:
Check the version of TeamViewer DEX installed. If it's prior to V3.4 and the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction is present, the system is vulnerable.Check Version:
Check TeamViewer DEX version through the application interface or consult vendor documentation for version checking methods.Verify Fix Applied:
Confirm TeamViewer DEX is updated to V3.4 or later and verify the vulnerable instruction no longer exhibits the path protection issue.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution with SYSTEM privileges
- Suspicious activity related to 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction
- Failed or unexpected privilege escalation attempts
Network Indicators:
- Unusual outbound connections from systems running TeamViewer DEX
- Lateral movement attempts from previously compromised systems
SIEM Query:
Process creation events where parent process is related to TeamViewer DEX and child process runs with SYSTEM privileges unexpectedly