CVE-2025-64995 in DEX
Summary
by MITRE • 12/11/2025
A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the local device allows attackers, with local access to the device during execution, to hijack the process and execute arbitrary code with SYSTEM privileges.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/09/2026
The vulnerability CVE-2025-64995 represents a critical privilege escalation flaw in TeamViewer DEX, formerly known as 1E DEX, affecting versions prior to V3.4. This vulnerability specifically targets the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction within the software's execution framework. The flaw resides in the insufficient protection mechanisms governing the local device execution path, creating a dangerous attack surface that can be exploited by malicious actors with local system access.
The technical implementation of this vulnerability stems from inadequate input validation and privilege management within the NomadClientHealth component of TeamViewer DEX. When the ConfigureGeneralSetting instruction executes, the system fails to properly validate the execution context and trust boundaries, allowing an attacker with local access to manipulate the process execution flow. This weakness manifests as a direct path to privilege escalation, enabling the attacker to inject malicious code that executes with SYSTEM-level privileges rather than the current user context. The vulnerability essentially creates a backdoor execution path that bypasses normal operating system security controls and privilege separation mechanisms.
From an operational impact perspective, this vulnerability poses significant risks to enterprise environments where TeamViewer DEX is deployed for remote management and device monitoring. Attackers who gain local access to a compromised system can leverage this flaw to achieve complete system compromise without requiring additional exploitation vectors or elevated privileges. The ability to execute arbitrary code with SYSTEM privileges means that attackers can install persistent backdoors, exfiltrate sensitive data, modify system configurations, or establish covert command and control channels. This vulnerability effectively undermines the security posture of organizations relying on TeamViewer DEX for device management, as it provides a direct path to full system compromise from a local access point.
The vulnerability aligns with CWE-284 (Improper Access Control) and CWE-787 (Out-of-bounds Write) categories, representing a classic case of insufficient privilege validation combined with inadequate process integrity protection. From an ATT&CK framework perspective, this vulnerability maps to T1068 (Local Privilege Escalation) and T1547.001 (Registry Run Keys) as attackers can leverage the SYSTEM privileges to establish persistence mechanisms. Organizations should immediately implement the recommended mitigation strategies including upgrading to TeamViewer DEX version 3.4 or later, implementing strict access controls for local system access, and monitoring for suspicious process execution patterns. Additionally, network segmentation and privilege least-privilege principles should be enforced to limit the potential impact of such vulnerabilities in the event of compromise.