TeamViewer DEX Vulnerabilities Let Attackers Trigger DoS Attack and Expose Sensitive Data

Multiple critical vulnerabilities in TeamViewer DEX Client’s Content Distribution Service (NomadBranch.exe), formerly part of 1E Client.

Affecting Windows versions before 25.11 and select older branches, the flaws stem from improper input validation (CWE-20), potentially enabling attackers on the local network to execute code, crash the service, or leak sensitive data.

The most severe issue, CVE-2025-44016 (CVSS 3.1 base score: 8.8 High), allows bypassing file integrity checks. By crafting a request with a valid hash for malicious code, attackers can trick the service into treating it as trusted, enabling arbitrary code execution within the NomadBranch context.

Complementing this are two medium-severity flaws. CVE-2025-12687 (CVSS 6.5 Medium) triggers a denial-of-service (DoS) crash via a specially crafted command, halting the service entirely. Meanwhile, CVE-2025-12687 (CVSS 4.3 Medium) coerces the service into sending data to an arbitrary internal IP address, risking the exposure of sensitive information.

All vulnerabilities require adjacent network access (AV:A), making them viable threats in peer-to-peer or shared LAN environments. Notably, no evidence suggests wild exploitation to date. Installations with NomadBranch disabled in its default state are unaffected, as is the TeamViewer Remote/Tensor “DEX Essentials” add-on.

TeamViewer has patched these in version 25.11.0.29 and hotfixes for legacy branches:

CVE-2025-46266 is fixed only in 25.11 and later. Organizations should prioritize updates, verify NomadBranch status, and segment networks to mitigate adjacent attacks.

As remote access tools come under increasing scrutiny, this disclosure underscores the need for robust input validation in content distribution services.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.