CVE-2025-64992 Overview
CVE-2025-64992 is a command injection vulnerability in TeamViewer Digital Employee Experience (DEX), formerly known as 1E DEX. The flaw resides in the 1E-Nomad-PauseNomadJobQueue instruction in versions prior to V25. Improper input validation allows authenticated attackers holding Actioner privileges to inject arbitrary operating system commands. Successful exploitation enables remote execution of elevated commands on endpoints connected to the platform. TeamViewer disclosed the issue in security bulletin TV-2025-1006 and published a fix for affected deployments.
Critical Impact
Authenticated Actioner-privileged attackers can execute arbitrary elevated commands on every device managed by the DEX platform, enabling lateral movement and full endpoint compromise.
Affected Products
- TeamViewer Digital Employee Experience (formerly 1E DEX) versions prior to V25
- 1E-Nomad-PauseNomadJobQueue instruction component
- Endpoints connected to the affected DEX platform
Discovery Timeline
- 2025-12-11 - CVE-2025-64992 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64992
Vulnerability Analysis
The vulnerability is a command injection flaw classified under [CWE-77] (Improper Neutralization of Special Elements used in a Command) and [CWE-20] (Improper Input Validation). The affected component is the 1E-Nomad-PauseNomadJobQueue instruction, which is delivered through the DEX platform to manage Nomad job queues on connected endpoints. The instruction accepts parameters that are passed into command execution logic without adequate sanitization. An attacker with Actioner privileges can craft parameter values containing shell metacharacters or command separators. The DEX agent then runs the injected payload with the elevated privileges granted to the management agent on the endpoint.
Root Cause
The root cause is the absence of strict input validation and command-element neutralization in the 1E-Nomad-PauseNomadJobQueue instruction handler. User-supplied data flows directly into a command interpreter without allowlisting, escaping, or parameterization.
Attack Vector
The attack vector is network-based but requires authentication as an Actioner-privileged user within the DEX console. The attacker invokes the vulnerable instruction with a malicious parameter. The DEX platform then propagates the instruction to connected endpoints, where the injected command runs with the privileges of the local DEX agent. This produces remote, elevated command execution on every targeted device. Refer to the TeamViewer Security Bulletin TV-2025-1006 for vendor-confirmed technical context.
Detection Methods for CVE-2025-64992
Indicators of Compromise
- Unexpected child processes spawned by the TeamViewer DEX or legacy 1E agent process on managed endpoints.
- Invocations of the 1E-Nomad-PauseNomadJobQueue instruction containing shell metacharacters such as ;, |, &, backticks, or $().
- Audit log entries showing Actioner-level users executing Nomad pause instructions outside of normal change windows.
Detection Strategies
- Review DEX audit logs for executions of 1E-Nomad-PauseNomadJobQueue and correlate parameter content against an allowlist of expected values.
- Hunt for endpoint process trees where the DEX agent is the parent of cmd.exe, powershell.exe, /bin/sh, or other interpreters.
- Alert on Actioner role assignments and privilege changes within the DEX platform to detect pre-exploitation reconnaissance.
Monitoring Recommendations
- Forward DEX instruction execution logs and endpoint process-creation telemetry to a centralized SIEM or data lake for correlation.
- Baseline normal Actioner activity and flag deviations such as off-hours instruction execution or unusual parameter lengths.
- Monitor outbound network connections initiated by the DEX agent process for signs of secondary payload retrieval or command-and-control.
How to Mitigate CVE-2025-64992
Immediate Actions Required
- Upgrade TeamViewer DEX to V25 or later as specified in TeamViewer Security Bulletin TV-2025-1006.
- Audit all accounts holding the Actioner role and revoke privileges that are not strictly required.
- Rotate credentials for Actioner-level accounts and enforce multi-factor authentication on the DEX console.
Patch Information
TeamViewer released a fixed version of Digital Employee Experience that remediates the input validation defect in the 1E-Nomad-PauseNomadJobQueue instruction. Administrators should follow the upgrade guidance in the TeamViewer Security Bulletin TV-2025-1006 and apply V25 or later across all DEX components.
Workarounds
- Restrict the 1E-Nomad-PauseNomadJobQueue instruction so only trusted, fully vetted administrators can execute it.
- Implement strict role-based access control and remove Actioner privileges from service or shared accounts until the patch is deployed.
- Apply application-layer input filtering at any proxy or wrapper that mediates DEX instruction submission to block shell metacharacters.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

