CVE-2025-64994 is a privilege escalation vulnerability identified in TeamViewer DEX (formerly 1E DEX), specifically affecting versions prior to 17.1. The vulnerability stems from an uncontrolled search path element (CWE-427) in the 1E-Nomad-SetWorkRate instruction. This flaw allows local attackers who already have write access to directories listed in the system's PATH environment variable to place malicious executables that can be invoked with SYSTEM-level privileges. When the vulnerable instruction executes, it may run these attacker-controlled executables, resulting in arbitrary code execution with the highest system privileges. The vulnerability requires local access with some level of privilege (PR:H) and user interaction (UI:R), indicating that exploitation is not fully remote or automatic but still feasible in environments where users have write permissions to PATH directories. The CVSS v3.1 score of 6.5 reflects a medium severity, balancing the high impact on confidentiality, integrity, and availability with the limited attack vector and required privileges. No public exploits have been reported yet, but the nature of the vulnerability makes it a significant risk in environments where TeamViewer DEX is deployed for endpoint management or remote control. The lack of an official patch at the time of publication necessitates immediate mitigation through access control and monitoring.

For European organizations, this vulnerability poses a significant risk due to the potential for local attackers or malicious insiders to escalate privileges to SYSTEM level, effectively gaining full control over affected devices. This can lead to unauthorized access to sensitive data, disruption of critical services, and the deployment of persistent malware or ransomware. Organizations relying on TeamViewer DEX for endpoint management, remote support, or IT automation are particularly vulnerable, as compromised systems could undermine the security of entire networks. The impact extends to confidentiality, integrity, and availability, as attackers could exfiltrate data, alter system configurations, or cause system outages. Given the medium severity and the requirement for local access, the threat is more pronounced in environments with lax endpoint security, insufficient user privilege restrictions, or shared workstations. European entities in sectors such as finance, healthcare, and critical infrastructure, where TeamViewer DEX is used, face heightened risks of operational disruption and data breaches.

1. Immediately audit and restrict write permissions on all directories included in the system PATH environment variable to prevent unauthorized modification. 2. Implement strict endpoint security policies that limit local user privileges, ensuring that only trusted administrators have write access to critical system paths. 3. Monitor filesystem changes and employ integrity checking tools to detect unauthorized additions or modifications to executables in PATH directories. 4. Enforce application whitelisting to prevent execution of unapproved binaries, especially in directories accessible to multiple users. 5. Educate users about the risks of executing untrusted code and the importance of reporting suspicious activity. 6. Maintain up-to-date backups and incident response plans to mitigate potential damage from exploitation. 7. Once available, promptly apply official patches or updates from TeamViewer addressing this vulnerability. 8. Consider isolating or segmenting systems running TeamViewer DEX to limit lateral movement in case of compromise.