Ddos 
TeamViewer has issued important security bulletins addressing multiple vulnerabilities across its Digital Employee Experience (DEX) product line (formerly 1E). The updates patch high-severity flaws in both the Windows Client and the central Platform that could allow attackers to bypass integrity checks, execute arbitrary code, and escalate privileges.
The vulnerabilities affect the Content Distribution Service (Nomad Branch.exe) and various DEX Instructions, exposing organizations to risks from both local network intruders and malicious insiders.
The most critical vulnerability identified in the Client software is CVE-2025-44016, carrying a High Severity CVSS score of 8.8. This flaw resides in the Content Distribution Service, specifically affecting versions prior to 25.11 on Windows.
The vulnerability stems from improper input validation that allows a malicious actor on the local network to trick the service. “By providing a valid hash for a malicious file, an attacker can cause the service to incorrectly validate and process the file as trusted,” the advisory explains.
Once the system is fooled into trusting the malicious file, the attacker can achieve arbitrary code execution under the context of the Nomad Branch service—effectively hijacking the background process used for content distribution.
Alongside this critical flaw, TeamViewer also patched:
- CVE-2025-12687 (CVSS 6.5): A Denial of Service (DoS) flaw where a crafted command can crash the application.
- CVE-2025-46266 (CVSS 4.3): A data leak vulnerability allowing attackers to coerce the service into transmitting data to an arbitrary internal IP.
A separate set of vulnerabilities targets the TeamViewer DEX Platform itself, affecting both SaaS and On-Premise installations. These flaws involve Command Injection within specific “Instructions”—the scripts used to manage devices.
Tracked as CVE-2025-64986 through CVE-2025-64989 (CVSS 7.2), these issues allow an authenticated attacker with “Actioner” privileges to break out of the intended script logic. “Improper input validation… allowing authenticated attackers with Actioner privileges to inject arbitrary commands,” the security bulletin states. This could enable remote execution of elevated commands on connected devices.
Additionally, researchers discovered Privilege Escalation flaws (CVE-2025-64994 and CVE-2025-64995) in instructions like 1E-Nomad-SetWorkRate. These vulnerabilities exploit “uncontrolled search paths,” allowing local attackers with write access to specific directories to hijack processes and execute code as SYSTEM.
TeamViewer has released fixes for all identified issues.
- For the Client: Administrators are urged to update the TeamViewer DEX Client to version 25.11 or later immediately.
- For the Platform: SaaS customers will see most instructions updated automatically with platform version 25.12, though some may require manual action via the Exchange. On-Premise customers must contact their Customer Success Manager (CSM) to obtain the updated instructions.
Currently, there is no indication that these vulnerabilities have been exploited in the wild. However, given the potential for code execution, rapid remediation is advised.
Related Posts:
- TeamViewer Remote Management Bug (CVE-2025-36537) Enables Privilege Escalation
- CVE-2025-0065: TeamViewer Patches Privilege Escalation Vulnerability in Windows Clients
- High-Severity Flaw in HashiCorp Nomad (CVE-2025-4922) Allows Privilege Escalation
- CVE-2022-39222: Authentication bypass bug in openID connect provider Dex
Donate