CVE-2025-36537

Summary

Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. The vulnerability only applies to the Remote Management features: Backup, Monitoring, and Patch Management.

Affected Software

VendorProductVersion RangeStatus
TeamViewerFull Client15.0.0 < 15.67affected
TeamViewerFull Client14.0.0 < 14.7.48809affected
TeamViewerFull Client13.0.0 < 13.2.36227affected
TeamViewerFull Client12.0.0 < 12.0.259325affected
TeamViewerFull Client11.0.0 < 11.0.259324affected
TeamViewerHost15.0.0 < 15.67affected
TeamViewerHost14.0.0 < 14.7.48809affected
TeamViewerHost13.0.0 < 13.2.36227affected
TeamViewerHost12.0.0 < 12.0.259325affected
TeamViewerHost11.0.0 < 11.0.259324affected
TeamViewerFull Client (Win7/8)15.0.0 < 15.64.5affected
TeamViewerHost (Win7/8)15.0.0 < 15.64.5affected

Weaknesses

  • Incorrect Permission Assignment for Critical Resource in TeamViewer Remote Management

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References