Incorrect Permission Assignment in TeamViewer Client for Remote Management Features
CVE-2025-36537
7HIGH
What is CVE-2025-36537?
A vulnerability in the TeamViewer Client's Remote Management features prior to version 15.67 on Windows permits local unprivileged users to exploit incorrect permission assignments. By leveraging the MSI rollback mechanism, these users can execute arbitrary file deletions with elevated SYSTEM privileges, potentially compromising the integrity of the system. This issue specifically affects features related to Backup, Monitoring, and Patch Management, exposing critical resources to unauthorized actions.
Affected Version(s)
Full Client (Win7/8) Windows 15.0.0 < 15.64.5
Full Client Windows 15.0.0 < 15.67
Full Client Windows 14.0.0 < 14.7.48809
References
CVSS V3.1
Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Giuliano Sanfins (0x_alibabas) from SiDi, working with Trend Micro Zero Day Initiativ