CVE-2025-36537 | THREATINT

Description

Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. The vulnerability only applies to the Remote Management features: Backup, Monitoring, and Patch Management.

Reserved 2025-04-30 | Published 2025-06-24 | Updated 2025-06-24 | Assigner TV

HIGH: 7.0CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Incorrect Permission Assignment for Critical Resource in TeamViewer Remote Management

Product status

Default status

unaffected

15.0.0 before 15.67

affected

14.0.0 before 14.7.48809

affected

13.0.0 before 13.2.36227

affected

12.0.0 before 12.0.259325

affected

11.0.0 before 11.0.259324

affected

Default status

unaffected

15.0.0 before 15.67

affected

14.0.0 before 14.7.48809

affected

13.0.0 before 13.2.36227

affected

12.0.0 before 12.0.259325

affected

11.0.0 before 11.0.259324

affected

Default status

unaffected

15.0.0 before 15.64.5

affected

Default status

unaffected

15.0.0 before 15.64.5

affected

Credits

Giuliano Sanfins (0x_alibabas) from SiDi, working with Trend Micro Zero Day Initiativ finder

References

www.teamviewer.com/...enter/security-bulletins/tv-2025-1002/

cve.org (CVE-2025-36537)

nvd.nist.gov (CVE-2025-36537)

Download JSON