CVE-2025-64989

HIGH

TeamViewer DEX < 21.1 - Authenticated Command Injection via 1E-Explorer-TachyonCore-FindFileBySizeAndHash

Title source: llm

Description

A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction prior V21.1. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform.

References (1)

Core 1

Core References

Vendor Advisory

https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/

Scores

CVSS v3 7.2

EPSS 0.0098

EPSS Percentile 57.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (1)

teamviewer/digital_employee_experience < 21.1

Published Dec 11, 2025

Tracked Since Feb 18, 2026