CVE-2025-36537 in Full Clientinfo

Summary

by MITRE • 06/24/2025

Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. The vulnerability only applies to the Remote Management features: Backup, Monitoring, and Patch Management.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2025

The vulnerability identified as CVE-2025-36537 represents a critical permission assignment flaw within the TeamViewer client software, specifically affecting versions prior to 15.67 on Windows systems. This issue resides in the TeamViewer Remote and Tensor products and demonstrates a significant security weakness that allows local unprivileged users to escalate their privileges and execute arbitrary file deletion operations with SYSTEM level privileges. The flaw is particularly concerning because it leverages the MSI rollback mechanism, which is typically used for software installation recovery processes but has been misconfigured to allow unauthorized file operations.

The technical implementation of this vulnerability exploits the improper handling of file permissions within the TeamViewer client's remote management features, specifically the Backup, Monitoring, and Patch Management functionalities. When a local user with standard privileges attempts to trigger certain operations through these management features, the system's MSI rollback mechanism inadvertently grants elevated permissions that allow file deletion operations at the SYSTEM level. This misconfiguration creates a privilege escalation path that bypasses normal access controls and security boundaries typically enforced by the Windows operating system. The vulnerability demonstrates a clear violation of the principle of least privilege and represents a failure in proper access control implementation.

The operational impact of this vulnerability is severe and multifaceted, affecting organizations that rely on TeamViewer for remote management and system administration. Attackers could potentially delete critical system files, backup data, or monitoring components that would otherwise require administrative privileges to remove. This capability extends beyond simple file deletion to potentially compromise the integrity and availability of remote management infrastructure. The vulnerability affects the core functionality of TeamViewer's remote management features, which are commonly used for system maintenance, monitoring, and patch deployment, making it particularly dangerous for enterprise environments where these features are actively utilized.

Organizations should immediately implement mitigations including updating to TeamViewer version 15.67 or later, which contains the necessary patches to address the permission assignment flaw. System administrators should also review and restrict access to the affected remote management features, particularly in environments where unprivileged users have access to the system. Network segmentation and monitoring of TeamViewer usage can help detect potential exploitation attempts. The vulnerability aligns with CWE-276, which addresses improper permissions assignment, and represents a clear violation of ATT&CK technique T1068, which covers local privilege escalation through system binary modification or exploitation of system vulnerabilities. Additionally, this issue demonstrates characteristics of T1547, related to boot or logon initialization scripts, as the vulnerability may be exploited during system initialization processes that involve MSI operations. Organizations should also consider implementing additional controls such as mandatory access controls, privilege monitoring, and regular security assessments to prevent exploitation of similar vulnerabilities in their remote management infrastructure.

Reservation

04/30/2025

Disclosure

06/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00158

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!