CVE-2025-64995 is a vulnerability identified in TeamViewer DEX (formerly 1E DEX) affecting versions prior to 3.4. The issue stems from an uncontrolled search path element (CWE-427) within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction. This improper protection of the execution path allows an attacker with local access and elevated privileges to hijack the process execution flow. By manipulating the search path, the attacker can cause the system to load and execute malicious code with SYSTEM privileges, effectively escalating their privileges on the device. The vulnerability requires the attacker to have local access and already possess high privileges, as well as user interaction to trigger the vulnerable instruction. The CVSS 3.1 base score is 6.5, reflecting medium severity due to the combination of required conditions and the impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a significant risk if exploited, as SYSTEM-level access grants full control over the affected system. The lack of available patches at the time of publication necessitates immediate attention to access controls and monitoring. This vulnerability is particularly relevant for organizations relying on TeamViewer DEX for remote management and endpoint health monitoring, as it could allow attackers to bypass security controls and compromise critical systems.

For European organizations, exploitation of this vulnerability could lead to full system compromise on devices running vulnerable versions of TeamViewer DEX. This would allow attackers to execute arbitrary code with SYSTEM privileges, potentially leading to data theft, disruption of services, and lateral movement within corporate networks. The impact is significant for enterprises using TeamViewer DEX in IT management, endpoint monitoring, or remote support roles, as compromised systems could undermine overall network security. Confidentiality is at risk due to unauthorized access to sensitive data, integrity is threatened by the possibility of malicious code execution and system manipulation, and availability could be affected if attackers disrupt critical services. The requirement for local access and high privileges limits the attack surface but does not eliminate risk, especially in environments with many users or insufficient endpoint security. European organizations with strict data protection regulations (e.g., GDPR) must consider the compliance implications of such a breach.

1. Apply patches or updates from TeamViewer as soon as they become available for DEX versions prior to 3.4. 2. Restrict local access to devices running TeamViewer DEX to trusted and authorized personnel only, minimizing the risk of local exploitation. 3. Implement strict endpoint security controls, including application whitelisting and monitoring of execution paths to detect unauthorized DLL or binary loading. 4. Use least privilege principles to limit user permissions, reducing the likelihood that an attacker can gain the required high privileges to exploit the vulnerability. 5. Monitor logs and system behavior for unusual activity related to the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction or unexpected process executions. 6. Conduct regular security audits and endpoint assessments to identify and remediate potential weaknesses in local device security. 7. Educate users about the risks of local privilege escalation and the importance of reporting suspicious behavior promptly.