A high-severity vulnerability (CVE-2025-36537) in TeamViewer’s Remote Management features allows local attackers to delete arbitrary files with SYSTEM privileges, potentially enabling full privilege escalation on Windows systems.
Rated 7.0 (High) on the CVSS scale, the flaw specifically impacts installations using Backup, Monitoring, or Patch Management features.
TeamViewer has released patched versions (15.67+) to address the issue, with no evidence of active exploitation observed.
Exploit Mechanism and Technical Details
The vulnerability stems from Incorrect Permission Assignment for Critical resources (CWE-732) in TeamViewer’s MSI installer rollback mechanism.
When uninstallation or rollback occurs, the Windows Installer service creates a temporary folder at C:\Config.Msi to store rollback scripts (.rbs) and binary files (.rbf). Attackers with local unprivileged access can:
- Trigger arbitrary file deletion by manipulating the MSI rollback process.
- Replace legitimate `.rbs/.rbf files with malicious versions, enabling the execution of attacker-controlled code during rollback.
- Escalate privileges to the SYSTEM level by forcing the installer to move/rename fraudulent files (e.g., deploying a malicious DLL).
Exploitation requires prior local access and only affects systems with Remote Management features enabled.
Affected Products and Mitigation
| Product Type | Vulnerable Versions | Patched Version |
|---|---|---|
| Remote Full Client (Win) | < 15.67, 15.64.5 (Win7/8) | 15.67+ |
| Remote Host (Win) | < 15.67, 15.64.5 (Win7/8) | 15.67+ |
| Legacy Clients (Win) | Versions < 14.7.48809 | Latest updates |
Mitigation steps:
- Immediately update to TeamViewer 15.67 or later.
- Disable Backup, Monitoring, and Patch Management modules if patching is delayed.
- Restrict local access to critical systems via network segmentation.
Broader Security Implications
This flaw highlights risks in MSI rollback mechanisms, where arbitrary file deletion vulnerabilities can bypass permission checks.
Similar issues (e.g., CVE-2023-27470) have been weaponized to escalate privileges via C:\Config.Msi manipulation.
TeamViewer credited Giuliano Sanfins (0x_alibabas) of SiDi/Trend Micro Zero Day Initiative for responsible disclosure.
Enterprises using remote management tools should audit installer permissions and monitor for anomalous file-deletion patterns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Rated 7.0 (High) on the CVSS scale, the flaw specifically impacts installations using Backup, Monitoring, or Patch Management features.){kind=link}