TeamViewer for Windows Vulnerability Lets Hackers Delete Files with SYSTEM Rights
A critical security vulnerability has been discovered in TeamViewer Remote Management for Windows, exposing systems to potential privilege escalation attacks.
The flaw, tracked as CVE-2025-36537, allows a local unprivileged attacker to delete arbitrary files with SYSTEM-level privileges, posing a significant risk to organizations relying on TeamViewer’s Remote Management features.
Vulnerability Overview
The vulnerability, assigned a CVSS score of 7.0 (High), stems from an incorrect permission assignment for critical resources in the TeamViewer Client (both Full and Host versions).
Specifically, the issue is linked to how the MSI rollback mechanism handles file deletions during uninstall or rollback processes.
By exploiting this mechanism, a low-privileged user with local access can delete files anywhere on the system as SYSTEM, potentially leading to further privilege escalation or system compromise.
| CVE ID | CVSS Score | Affected Features |
| CVE-2025-36537 | 7.0 (High) | Backup, Monitoring, Patch Mgmt |
Notably, this vulnerability only affects installations of TeamViewer Remote or Tensor for Windows that have the Remote Management features—Backup, Monitoring, or Patch Management—enabled.
Systems running TeamViewer without these modules are not impacted.
“The vulnerability only applies to the Remote Management features: Backup, Monitoring, and Patch Management. Devices running TeamViewer without these features are not affected.”
Affected Versions
The following TeamViewer products and versions are affected:
| Product | Affected Versions |
| TeamViewer Remote Full Client (Windows) | < 15.67 |
| TeamViewer Remote Full Client (Win 7/8) | < 15.64.5 |
| TeamViewer Remote Full Client (Windows) | < 14.7.48809 |
| TeamViewer Remote Full Client (Windows) | < 13.2.36227 |
| TeamViewer Remote Full Client (Windows) | < 12.0.259325 |
| TeamViewer Remote Full Client (Windows) | < 11.0.259324 |
| TeamViewer Remote Host (Windows) | < 15.67 |
| TeamViewer Remote Host (Win 7/8) | < 15.64.5 |
| TeamViewer Remote Host (Windows) | < 14.7.48809 |
| TeamViewer Remote Host (Windows) | < 13.2.36227 |
| TeamViewer Remote Host (Windows) | < 12.0.259325 |
| TeamViewer Remote Host (Windows) | < 11.0.259324 |
To exploit this vulnerability, an attacker must have local access to the targeted Windows system.
Once exploited, the attacker could delete critical system files or user data, potentially causing a denial of service or paving the way for further privilege escalation.
However, there is currently no evidence that this vulnerability has been exploited in the wild.
TeamViewer has addressed the issue in version 15.67 and recommends all users with Remote Management features enabled update to the latest available version immediately.
Users who do not utilize Backup, Monitoring, or Patch Management are not affected but are still encouraged to keep their software up to date as a best practice.
The vulnerability was responsibly disclosed by Giuliano Sanfins (0x_alibabas) from SiDi, in collaboration with Trend Micro Zero Day Initiative.
TeamViewer users are urged to update immediately to protect their systems from potential exploitation.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
