CVE-2025-64989 Overview
CVE-2025-64989 is a command injection vulnerability in TeamViewer Digital Employee Experience (DEX), formerly 1E DEX. The flaw resides in the 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction in versions prior to V21.1. Improper input validation [CWE-20] allows authenticated attackers holding Actioner privileges to inject arbitrary commands. Successful exploitation enables remote execution of elevated commands on devices connected to the DEX platform. TeamViewer published security bulletin TV-2025-1006 to address the issue. The vulnerability carries a CVSS 3.1 score of 7.2 and an EPSS probability of 0.215%.
Critical Impact
Authenticated Actioner-privileged attackers can execute arbitrary elevated commands across all endpoints managed by the TeamViewer DEX platform, enabling lateral movement and full host compromise.
Affected Products
- TeamViewer Digital Employee Experience (DEX) versions prior to V21.1
- 1E DEX (legacy branding) prior to V21.1
- The 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction component
Discovery Timeline
- 2025-12-11 - CVE-2025-64989 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-64989
Vulnerability Analysis
The vulnerability exists in the TachyonCore instruction 1E-Explorer-TachyonCore-FindFileBySizeAndHash, which is part of the TeamViewer DEX endpoint management framework. This instruction accepts caller-supplied parameters used to locate files on managed endpoints by size and hash. The instruction handler fails to validate or sanitize these inputs before passing them into a command execution context.
An authenticated user assigned the Actioner role can craft instruction parameters that break out of the intended argument boundary and append additional shell commands. Because TachyonCore instructions execute under elevated privileges on target endpoints, injected commands run with the same elevated rights. The flaw aligns with [CWE-20] Improper Input Validation. See the TeamViewer Security Bulletin TV-2025-1006 for vendor-confirmed details.
Root Cause
The root cause is missing input sanitization on parameters consumed by the FindFileBySizeAndHash instruction. The handler concatenates attacker-controlled values into a command string rather than passing them as discrete, validated arguments. No allowlist, escaping, or type enforcement is applied before execution.
Attack Vector
The attack vector is network-based. An attacker must first hold valid Actioner credentials within the DEX platform. Using the standard instruction issuance workflow, the attacker submits a FindFileBySizeAndHash request containing malicious payload characters in the size or hash parameter. The platform dispatches the instruction to one or more agents, which then execute the attacker's appended commands with elevated privileges on the target endpoints.
No verified proof-of-concept code is publicly available. Refer to the vendor bulletin for technical guidance.
Detection Methods for CVE-2025-64989
Indicators of Compromise
- Unexpected 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction invocations containing shell metacharacters such as ;, |, &, $(), or backticks in size or hash parameters
- Tachyon agent process spawning unusual child processes (cmd.exe, powershell.exe, /bin/sh) immediately after instruction execution
- Instruction submissions originating from Actioner accounts outside typical operational hours or source IP ranges
- Elevated command execution on endpoints with no corresponding change ticket or operator session
Detection Strategies
- Audit DEX instruction history for FindFileBySizeAndHash calls and flag parameter values containing non-hexadecimal or non-numeric characters
- Correlate Tachyon agent telemetry with endpoint EDR process trees to identify command execution chains rooted in the agent process
- Alert on any Actioner-role account submitting bulk or rapid sequences of file-search instructions across many endpoints
Monitoring Recommendations
- Forward TeamViewer DEX audit logs and Tachyon agent execution logs to a centralized SIEM for retention and correlation
- Baseline normal Actioner activity patterns and alert on deviations in instruction frequency, target scope, or parameter content
- Monitor for new or modified Actioner role assignments and require approval workflows for privilege grants
How to Mitigate CVE-2025-64989
Immediate Actions Required
- Upgrade TeamViewer DEX to version V21.1 or later as directed in TeamViewer Security Bulletin TV-2025-1006
- Inventory all accounts holding the Actioner role and revoke the privilege from users who do not require it
- Rotate credentials and API tokens for any account that retains Actioner privileges
- Review historical instruction logs for the FindFileBySizeAndHash instruction to identify prior abuse
Patch Information
TeamViewer addressed CVE-2025-64989 in TeamViewer DEX V21.1. The fix introduces proper input validation on the 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction parameters. Customers running any version prior to V21.1 must upgrade. Consult the TeamViewer Security Bulletin TV-2025-1006 for upgrade procedures and version verification steps.
Workarounds
- Restrict Actioner role membership to a minimum set of trusted administrators until the V21.1 upgrade is applied
- Disable or remove custom instruction sets that wrap FindFileBySizeAndHash where the patch cannot be deployed immediately
- Enforce multi-factor authentication on all DEX console and API accounts to reduce credential-based abuse risk
- Implement network segmentation that limits which administrative workstations can reach the DEX management console
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
