CVE-2025-64991 Overview
CVE-2025-64991 is a command injection vulnerability in TeamViewer Digital Employee Experience (DEX), formerly known as 1E DEX. The flaw resides in the 1E-PatchInsights-Deploy instruction in versions prior to V15. Improper input validation [CWE-20] allows authenticated attackers holding Actioner privileges to inject arbitrary operating system commands [CWE-77]. Successful exploitation enables remote execution of elevated commands on endpoints connected to the DEX platform. The vulnerability carries a CVSS score of 7.2 and is exploitable over the network with low attack complexity.
Critical Impact
An authenticated Actioner can execute arbitrary elevated commands on every device managed by the DEX platform, enabling lateral movement and fleet-wide compromise.
Affected Products
- TeamViewer Digital Employee Experience (DEX), formerly 1E DEX
- 1E-PatchInsights-Deploy instruction, all versions prior to V15
- Endpoints connected to a vulnerable DEX platform instance
Discovery Timeline
- 2025-12-11 - CVE-2025-64991 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64991
Vulnerability Analysis
TeamViewer DEX uses instructions to push configuration and remediation actions to managed endpoints. The 1E-PatchInsights-Deploy instruction accepts parameters that are passed into a command execution context on target devices. Because the instruction does not properly validate or sanitize input, an authenticated user with Actioner privileges can append shell metacharacters or additional commands to the parameter values. The injected payload then executes with elevated privileges on every device the instruction targets. This converts a legitimate patch deployment workflow into a fleet-wide remote code execution primitive.
Root Cause
The root cause is improper input validation in the parameter handling logic of the 1E-PatchInsights-Deploy instruction. The instruction concatenates user-supplied values into a command string without enforcing an allowlist, escaping shell metacharacters, or using parameterized execution. CWE-20 (Improper Input Validation) and CWE-77 (Improper Neutralization of Special Elements used in a Command) describe the underlying weakness.
Attack Vector
The attacker requires an authenticated DEX account with Actioner privileges. From the DEX console or its API, the attacker invokes the 1E-PatchInsights-Deploy instruction and supplies malicious input within a parameter. The DEX agent on each targeted endpoint executes the resulting command with elevated privileges. No user interaction on the endpoint is required. Because the platform is designed to reach managed devices at scale, a single instruction call can compromise large numbers of endpoints simultaneously.
No public proof-of-concept exploit is currently available. Technical specifics are described in the TeamViewer Security Bulletin TV-2025-1006.
Detection Methods for CVE-2025-64991
Indicators of Compromise
- Execution of the 1E-PatchInsights-Deploy instruction containing shell metacharacters such as ;, &&, |, backticks, or $() in parameter values.
- Unexpected child processes spawned by the DEX agent on endpoints, particularly cmd.exe, powershell.exe, /bin/sh, or /bin/bash invocations that do not match standard patch deployment behavior.
- DEX audit log entries showing instruction runs initiated by Actioner accounts outside of approved change windows.
Detection Strategies
- Audit the DEX instruction execution history for invocations of 1E-PatchInsights-Deploy and review parameter contents for command separators or encoded payloads.
- Correlate DEX agent process creation events with the originating instruction ID to detect anomalous command lines.
- Alert on Actioner-privileged accounts that suddenly increase their instruction execution rate or target unusually broad device groups.
Monitoring Recommendations
- Forward DEX server and agent logs to a centralized SIEM and retain them long enough to support post-incident investigation.
- Monitor endpoint EDR telemetry for elevated child processes of the DEX agent and flag deviations from a known-good baseline.
- Review and tighten the membership of any role that grants Actioner privileges, and alert on additions to that role.
How to Mitigate CVE-2025-64991
Immediate Actions Required
- Upgrade TeamViewer DEX to V15 or later, which contains the fix for the 1E-PatchInsights-Deploy instruction.
- Inventory and review all accounts that hold Actioner privileges and revoke access that is not strictly required.
- Audit recent executions of the affected instruction for signs of abuse and investigate any suspicious parameter values.
Patch Information
TeamViewer addressed the vulnerability in DEX V15. Customers should consult the TeamViewer Security Bulletin TV-2025-1006 for upgrade guidance and verify that the patched instruction version is deployed across the platform.
Workarounds
- Until the upgrade is complete, restrict the 1E-PatchInsights-Deploy instruction so that only a small, trusted set of administrators can invoke it.
- Enforce multi-factor authentication on all DEX accounts and require approval workflows for instruction execution.
- Apply network segmentation so the DEX management plane is only reachable from administrative jump hosts.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

