Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-44016

CVE-2025-44016: TeamViewer DEX Client RCE Vulnerability

CVE-2025-44016 is a remote code execution vulnerability in TeamViewer Digital Employee Experience Client that allows attackers to bypass file validation and execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-44016 Overview

CVE-2025-44016 is a file integrity validation bypass in the TeamViewer Digital Employee Experience (DEX) Client, formerly known as the 1E client. The flaw resides in the Content Distribution Service binary NomadBranch.exe on Windows hosts prior to version 25.11. An attacker on an adjacent network can craft a request that supplies a valid hash for a malicious file. The service then accepts the file as trusted and processes it, leading to arbitrary code execution under the Nomad Branch service context.

Critical Impact

Successful exploitation grants arbitrary code execution under the privileged Nomad Branch service account, enabling lateral movement and persistence across enterprise endpoints managed by TeamViewer DEX.

Affected Products

  • TeamViewer Digital Employee Experience (DEX) Client, formerly 1E Client, versions prior to 25.11
  • TeamViewer DEX Content Distribution Service (NomadBranch.exe)
  • Microsoft Windows hosts running the affected client

Discovery Timeline

  • 2025-12-11 - CVE-2025-44016 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-44016

Vulnerability Analysis

The TeamViewer DEX Content Distribution Service (NomadBranch.exe) distributes software and content packages to managed Windows endpoints. The service validates incoming files using a hash-based integrity check before processing them as trusted content. The validation logic accepts a hash value supplied within the request itself rather than enforcing a hash bound to an authenticated, server-side manifest. An attacker who can deliver a crafted request to the service can submit a malicious file together with a matching hash, satisfying the integrity check. The service then processes the file as a trusted content payload, which results in code execution under the Nomad Branch service context. The weakness is classified under [CWE-20] Improper Input Validation.

Root Cause

The root cause is trust placed in attacker-controlled metadata. NomadBranch.exe treats a hash value supplied through the request as authoritative proof of file integrity. The service does not cross-check the hash against an out-of-band, signed source of truth before executing or staging the file. Any actor able to reach the service interface can therefore substitute arbitrary payloads.

Attack Vector

Exploitation requires adjacent network access to the affected Windows host. No authentication or user interaction is required. The attacker sends a crafted request to the Content Distribution Service that references a malicious file and includes a hash matching that file. Once the service accepts the file as valid, the payload executes in the Nomad Branch service context, which typically runs with elevated privileges on the endpoint. Refer to the TeamViewer Security Bulletin TV-2025-1005 for vendor technical details.

Detection Methods for CVE-2025-44016

Indicators of Compromise

  • Unexpected child processes spawned by NomadBranch.exe on managed Windows endpoints.
  • Inbound connections to the Nomad Branch service from hosts that are not authorized 1E or TeamViewer DEX servers.
  • New or unsigned executables appearing in the Nomad Branch cache or content staging directories.
  • Service-context file writes or registry modifications occurring outside scheduled content distribution windows.

Detection Strategies

  • Monitor process lineage where NomadBranch.exe is the parent and the child is a script interpreter such as cmd.exe, powershell.exe, or rundll32.exe.
  • Hunt for newly written executables in Nomad Branch working directories that do not correspond to a known content distribution job.
  • Correlate endpoint telemetry with TeamViewer DEX server-side distribution logs to identify content delivered from unauthorized sources.

Monitoring Recommendations

  • Enable host-based EDR telemetry covering process creation, file write, and network connection events from NomadBranch.exe.
  • Alert on Nomad Branch service network traffic originating from non-management subnets.
  • Retain logs from the Content Distribution Service to support post-incident review of file hashes and source addresses.

How to Mitigate CVE-2025-44016

Immediate Actions Required

  • Upgrade the TeamViewer DEX Client to version 25.11 or later on all Windows endpoints.
  • Inventory hosts running NomadBranch.exe and prioritize patching of internet-exposed or high-value systems.
  • Restrict network reachability of the Nomad Branch service to authorized management infrastructure only.

Patch Information

TeamViewer has addressed the issue in DEX Client version 25.11 for Windows. Administrators should consult the TeamViewer Security Bulletin TV-2025-1005 for upgrade guidance and full version details. No exploit code is publicly available at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Workarounds

  • Segment management networks so that only authorized 1E or TeamViewer DEX servers can reach the Nomad Branch service port on endpoints.
  • Apply host firewall rules that block inbound traffic to NomadBranch.exe from unexpected sources until the patch is deployed.
  • Audit the service account used by Nomad Branch and reduce its privileges where operationally feasible.
bash
# Example Windows Firewall rule restricting inbound access to the Nomad Branch service
# Replace <MGMT_SERVER_IP> with the authorized TeamViewer DEX server address
netsh advfirewall firewall add rule name="Restrict NomadBranch Inbound" ^
  dir=in action=block program="%ProgramFiles%\1E\NomadBranch\NomadBranch.exe" ^
  enable=yes profile=any

netsh advfirewall firewall add rule name="Allow NomadBranch From Mgmt" ^
  dir=in action=allow program="%ProgramFiles%\1E\NomadBranch\NomadBranch.exe" ^
  remoteip=<MGMT_SERVER_IP> enable=yes profile=any

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.