CVE-2025-36537

Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. The vulnerability only applies to the Remote Management features: Backup, Monitoring, and Patch Management.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1002/

Configurations

No configuration.

History

26 Jun 2025, 18:58

Type	Values Removed	Values Added
Summary		(es) La asignación incorrecta de permisos para recursos críticos en TeamViewer Client (Full y Host) de TeamViewer Remote y Tensor (versión anterior a la 15.67) en Windows permite que un usuario local sin privilegios active la eliminación arbitraria de archivos con privilegios de SYSTEM mediante el mecanismo de reversión de MSI. La vulnerabilidad solo afecta a las funciones de administración remota: copia de seguridad, monitorización y administración de parches.

24 Jun 2025, 16:15

Type	Values Removed	Values Added
CWE	~~CWE-276~~	CWE-732

24 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-24 15:15

Updated : 2025-06-26 18:58

NVD link : CVE-2025-36537

Mitre link : CVE-2025-36537

CVE.ORG link : CVE-2025-36537

JSON object : View

Products Affected

No product.

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

7.0 /10