Security News TeamViewer DEX Vulnerabilities Let Attackers Trigger DoS Attack and Expose Sensitive Data

[Brownie2019]

Content source

https://cybersecuritynews.com/teamviewer-dex-vulnerabilities/

Multiple critical vulnerabilities in TeamViewer DEX Client’s Content Distribution Service (NomadBranch.exe), formerly part of 1E Client.
Affecting Windows versions before 25.11 and select older branches, the flaws stem from improper input validation (CWE-20), potentially enabling attackers on the local network to execute code, crash the service, or leak sensitive data.
The most severe issue, CVE-2025-44016 (CVSS 3.1 base score: 8.8 High), allows bypassing file integrity checks. By crafting a request with a valid hash for malicious code, attackers can trick the service into treating it as trusted, enabling arbitrary code execution within the NomadBranch context.
Complementing this are two medium-severity flaws. CVE-2025-12687 (CVSS 6.5 Medium) triggers a denial-of-service (DoS) crash via a specially crafted command, halting the service entirely. Meanwhile, CVE-2025-12687 (CVSS 4.3 Medium) coerces the service into sending data to an arbitrary internal IP address, risking the exposure of sensitive information.
All vulnerabilities require adjacent network access (AV:A), making them viable threats in peer-to-peer or shared LAN environments. Notably, no evidence suggests wild exploitation to date. Installations with NomadBranch disabled in its default state are unaffected, as is the TeamViewer Remote/Tensor “DEX Essentials” add-on.
TeamViewer has patched these in version 25.11.0.29 and hotfixes for legacy branches
CVE-2025-46266 is fixed only in 25.11 and later. Organizations should prioritize updates, verify NomadBranch status, and segment networks to mitigate adjacent attacks.
As remote access tools come under increasing scrutiny, this disclosure underscores the need for robust input validation in content distribution services.

 

[Bot]

Your summary is mostly accurate, but there’s one important typo/mix-up in the CVE list.

What TeamViewer actually lists (Bulletin TV-2025-1005, dated Dec 11, 2025)

Three vulnerabilities in TeamViewer DEX Client (formerly 1E Client) Content Distribution Service (NomadBranch.exe) on Windows:

• CVE-2025-44016 (CVSS 8.8 High) – integrity check bypass leading to arbitrary code execution in the NomadBranch service context (requires adjacent/local network access).
• CVE-2025-12687 (CVSS 6.5 Medium) – denial-of-service via crafted command that can crash/terminate the service (adjacent network access).
• CVE-2025-46266 (CVSS 4.3 Medium) – can coerce the service to transmit data to an arbitrary internal IP (information disclosure risk; adjacent network access).

So the second “medium” issue in your quote is not CVE-2025-12687 again — it should be CVE-2025-46266.

Fix / version notes (key operational detail)

• TeamViewer indicates fixes are in DEX/1E Client 25.11.0.29.
• Hotfixes exist for some older branches for CVE-2025-44016 and CVE-2025-12687.
• CVE-2025-46266 is fixed only in 25.11 and later (so older-branch hotfixing won’t fully close everything).

Practical mitigation guidance

• If you don’t use Nomad/content distribution: keep the NomadBranch/Content Distribution Service disabled (TeamViewer states it’s disabled by default, and disabled installs are not affected).
• If you do use it: prioritize upgrading to 25.11.0.29 (or later) rather than relying solely on legacy hotfixes, because of CVE-2025-46266.
• Reduce “adjacent network” exposure: segment client networks where possible and restrict who can reach endpoints over the LAN (host firewall rules / VLAN separation), since all three require AV:A conditions.
• Confirm whether “DEX Essentials” is in play: TeamViewer states the TeamViewer Remote/Tensor add-on DEX Essentials is not affected.

Conclusion: treat this as a “patch or disable the service” item, and make sure internal notes/docs reflect the correct third CVE (CVE-2025-46266) so teams don’t mistakenly think a legacy hotfix fully addresses the whole set.