CVE-2025-64993 Overview
CVE-2025-64993 is a command injection vulnerability in TeamViewer Digital Employee Experience (DEX), formerly known as 1E DEX. The flaw resides in the 1E-ConfigMgrConsoleExtensions instructions, where improper input validation [CWE-20] allows authenticated attackers with Actioner privileges to inject arbitrary commands [CWE-77]. Successful exploitation enables remote execution of elevated commands on devices connected to the platform. TeamViewer published a security bulletin tracking this issue as TV-2025-1006.
Critical Impact
An authenticated attacker holding Actioner privileges can execute arbitrary elevated commands on managed endpoints across the DEX fleet, leading to lateral movement and full host compromise.
Affected Products
- TeamViewer Digital Employee Experience (formerly 1E DEX)
- 1E-ConfigMgrConsoleExtensions instruction set
- Endpoints managed through the DEX platform
Discovery Timeline
- 2025-12-11 - CVE-2025-64993 published to the National Vulnerability Database (NVD)
- 2026-01-09 - Last updated in NVD database
Technical Details for CVE-2025-64993
Vulnerability Analysis
The vulnerability is a command injection flaw within the 1E-ConfigMgrConsoleExtensions instructions used by TeamViewer DEX. The instruction handler accepts parameters that are passed to a command interpreter without sufficient sanitization. An authenticated user assigned the Actioner role can craft instruction inputs containing shell metacharacters or command separators. These payloads break out of the expected argument context and are executed by the platform on connected devices.
Because DEX instructions execute with elevated privileges on managed endpoints, the injected commands run with the same elevated context. This converts a logical role-based capability into arbitrary code execution across the managed fleet. The impact extends beyond the DEX server itself to every endpoint reachable through the platform.
Root Cause
The root cause is improper input validation [CWE-20] combined with improper neutralization of special elements used in a command [CWE-77]. Instruction parameters are concatenated into command strings rather than passed as discrete arguments through a safe API. No allow-list, escaping, or parameter binding is applied before execution.
Attack Vector
The attack vector is network-based but requires authenticated access with Actioner privileges. An attacker who compromises or possesses such an account submits a malicious DEX instruction targeting 1E-ConfigMgrConsoleExtensions. The crafted payload includes injected commands that are dispatched to selected endpoints. Execution occurs in the elevated context used by DEX instructions, allowing the adversary to install tooling, harvest credentials, or pivot deeper into the environment.
No verified public exploit code is available at this time. Refer to the TeamViewer Security Bulletin TV-2025-1006 for vendor technical details.
Detection Methods for CVE-2025-64993
Indicators of Compromise
- Unexpected child processes spawned by the DEX agent or ConfigMgr console extension hosts on managed endpoints.
- DEX audit log entries showing Actioner-submitted instructions with shell metacharacters such as ;, &, |, backticks, or $(...) in parameter fields.
- Outbound network connections from endpoints to attacker-controlled hosts immediately following instruction execution.
- Creation of new local accounts, scheduled tasks, or services correlated with DEX instruction execution windows.
Detection Strategies
- Inspect DEX server audit logs for instruction submissions referencing 1E-ConfigMgrConsoleExtensions with anomalous argument content.
- Hunt for elevated command-line activity on managed endpoints with a parent process associated with the DEX agent.
- Correlate Actioner account activity with endpoint process telemetry to identify mass or scripted execution patterns.
Monitoring Recommendations
- Enable verbose logging on the DEX platform and forward instruction execution records to a centralized SIEM.
- Alert on any modification to Actioner role assignments or sudden increases in instruction volume per user.
- Monitor privileged account authentication to the DEX console for unusual source IPs or off-hours activity.
How to Mitigate CVE-2025-64993
Immediate Actions Required
- Apply the fixed version of TeamViewer DEX as referenced in TeamViewer Security Bulletin TV-2025-1006.
- Audit all accounts assigned the Actioner role and revoke privileges that are not strictly required.
- Rotate credentials for Actioner-level accounts and enforce multi-factor authentication on the DEX console.
- Review recent instruction history for 1E-ConfigMgrConsoleExtensions invocations and investigate any with suspicious parameters.
Patch Information
TeamViewer has released an updated build addressing CVE-2025-64993. Refer to the vendor advisory TV-2025-1006 for affected version ranges and the corresponding fixed release. Apply the update across all DEX server components and connected agents.
Workarounds
- Restrict the Actioner role to a minimal set of trusted administrators until patching completes.
- Disable or remove the 1E-ConfigMgrConsoleExtensions instruction set if it is not in active use in your environment.
- Place the DEX management console behind a VPN or jump host to limit network exposure of authenticated endpoints.
# Configuration example: refer to vendor advisory TV-2025-1006 for product-specific
# configuration steps. Verify installed DEX version against the fixed release.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

