CVE-2025-36537: TeamViewer Remote Management Flaw

TeamViewer has shared a new security update for a flaw in TeamViewer Remote Management for Windows. The vulnerability, officially cataloged as CVE-2025-36537, allows a local, unprivileged user to escalate their privileges and delete files with SYSTEM-level access. 

According to a TeamViewer security bulletin (ID: TV-2025-1002) published on Tuesday, the flaw stems from incorrect permission assignment for critical resources. This specific weakness, classified under CWE-732, enables attackers to exploit the MSI rollback mechanism within the TeamViewer Remote and Tensor clients (both Full and Host versions) for Windows. 

Who Is Affected and How the Exploit Works 

The TeamViewer vulnerability specifically impacts the Remote Management features, including Backup, Monitoring, and Patch Management. Notably, users running TeamViewer without these features are not affected. 

The exploit requires local access, meaning an attacker must already have some form of presence on the target system. By taking advantage of flawed permissions during the uninstallation process (via MSI rollback), an unprivileged user can delete arbitrary files with SYSTEM-level privileges, potentially compromising the integrity of the entire system. 

The vulnerability has been rated 7.0 (High) on the CVSS scale, with the following vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. Although the attack complexity is considered high due to the need for local access, the potential damage makes it a serious concern for enterprise environments. 

Affected Versions and Urgent Mitigation Steps 

The security flaw affects multiple versions of TeamViewer Remote Full Client and Host Client for Windows, including legacy builds. Specifically: 

TeamViewer has already released a fix in version 15.67, and users are strongly advised to upgrade immediately. Devices not running the Remote Management features do not require urgent updates, though regular patching is always recommended. 

Discovery and Disclosure of CVE-2025-36537

The vulnerability was disclosed by Giuliano Sanfins (alias 0x_alibabas) from SiDi, working with the Trend Micro Zero Day Initiative. As of the latest update, there is no indication that CVE-2025-36537 has been exploited in the wild. 

System administrators should evaluate their deployment of TeamViewer Remote Management, especially where Backup, Monitoring, or Patch Management modules are enabled. Applying the latest updates will eliminate exposure to this TeamViewer vulnerability and help maintain compliance with organizational security standards. 

Related