A newly disclosed vulnerability in TeamViewer Remote Management for Windows allows local attackers to delete files with SYSTEM privileges, posing a serious risk of privilege escalation.
While exploitation requires local access, the high-severity flaw is particularly concerning due to TeamViewer's prominence in sensitive environments and its history as a target for advanced threat actors.
The vulnerability, tracked as CVE-2025-36537, was responsibly disclosed by Giuliano Sanfins (0x_alibabas) from SiDi, working with Trend Micro's Zero Day Initiative. TeamViewer published a security bulletin to inform users about the flaw yesterday, assigning it a CVSS score of 7.0 (High). The underlying issue stems from incorrect permission assignment in the TeamViewer client, which can be abused to delete arbitrary files during MSI rollback operations.
The exploit path targets the Remote Management suite, specifically the Backup, Monitoring, and Patch Management modules, present in versions of TeamViewer Remote and Tensor prior to 15.67. Attackers leveraging the flaw must already have unprivileged access to a Windows system, but can escalate privileges by triggering file deletions as SYSTEM, potentially paving the way for further compromise.
Exploitation of CVE-2025-36537 involves the misuse of Windows Installer's rollback feature. During certain operations, the MSI engine may attempt to revert changes if an installation fails, opening a narrow but powerful window for manipulation. A local attacker can prepare crafted paths or symlinks to escalate from user-level to SYSTEM by deleting critical files during this rollback.
TeamViewer is a widely deployed remote access tool used in enterprise, healthcare, and government systems. Its widespread installation makes it a favored target for cyberespionage groups such as APT29 (Midnight Blizzard), the Russian state-backed actor behind the 2024 breach of TeamViewer's internal IT environment.
Impact and fixes
The vulnerability affects a broad swath of legacy and current TeamViewer installations on Windows, including:
- TeamViewer Remote Full Client and Remote Host, versions prior to 15.67
- Legacy builds for Windows 7/8 prior to 15.64.5
- Older releases from version 11.0.259324 up to 14.7.48809
Only instances with the Remote Management add-ons enabled are vulnerable. Systems using TeamViewer without these features are not impacted.
TeamViewer has issued patched versions addressing the vulnerability. All users are strongly urged to upgrade to version 15.67 or later immediately. For systems still relying on older versions, upgrade packages are available for download from TeamViewer's official channels.
While the vendor reports no evidence of in-the-wild exploitation, the risk remains elevated due to TeamViewer's attractiveness as a foothold in enterprise environments. Attackers with local access gained through phishing, lateral movement, or other means could weaponize this flaw as part of a broader attack chain.
Leave a Reply