Security researchers and TeamViewer have confirmed multiple vulnerabilities in the TeamViewer DEX Client’s Content Distribution Service (NomadBranch.exe) — part of what was formerly the 1E Client. These issues affect Windows installations prior to the patched versions and stem from improper input validation in the service.
Key Vulnerabilities Identified
1. CVE-2025-44016 — High Severity (CVSS 8.8)
- Issue: Bypasses file integrity validation by accepting a malicious file as if it were trusted.
- Impact: Arbitrary code execution in the context of the NomadBranch service.
- Risk: Compromise of service logic and potentially broader system access if leveraged with other weaknesses.
- Attack Requirements: Attacker must have adjacent local network access (peer-to-peer or LAN).
2. CVE-2025-12687 — Medium Severity (CVSS 6.5)
- Issue: Improper input validation allows a crafted command to crash the service.
- Impact: Denial of Service (DoS) — the service stops functioning, affecting operations relying on content distribution.
- Attack Requirements: Same local network access conditions.
- Note: This does not directly expose data but disrupts availability.
3. CVE-2025-46266 — Medium Severity (CVSS 4.3)
- Issue: Crafted requests can cause the service to send internal data to arbitrary addresses on an internal network.
- Impact: Potential exposure of sensitive internal information (data leakage).
- Attack Requirements: Adjacent network access.
- Scope: Lower overall impact compared with the code execution flaw but significant if internal data is sensitive.
Affected Components
- TeamViewer DEX Client (NomadBranch.exe) on Windows platforms
- Versions prior to 25.11 (and selected older branch builds) are vulnerable.
- Systems where NomadBranch is disabled (common default) are not affected.
- The TeamViewer Remote/Tensor “DEX Essentials” add-on is not impacted by these specific issues.
Patches & Mitigations
TeamViewer has released fixes, and administrators should immediately:
Update affected systems to the patched versions:
- 25.11.0.29 — Full fix for all listed vulnerabilities.
- Hotfix builds (e.g., 25.9.0.46, 25.5.0.53, 24.5.0.69) — address some issues on older branches.
CVE-2025-46266 is only fully resolved in 25.11 and later.
What This Means for You
| Vulnerability | Impact | CVSS |
|---|---|---|
| CVE-2025-44016 | Arbitrary code execution | High (8.8) |
| CVE-2025-12687 | DoS via crash | Medium |
| CVE-2025-46266 | Internal data exfiltration | Medium |
Who Is At Risk?
- Enterprise networks or LAN-based deployments of TeamViewer DEX that use the Content Distribution Service and are running older builds.
- Local attackers on the same network segment could potentially leverage these issues — meaning internal threat actors or compromised internal hosts are the typical risk vector.
