TeamViewer has released urgent security updates after uncovering several vulnerabilities affecting its DEX Client for Windows. While there is currently no evidence that these flaws have been exploited in real-world attacks, their potential impact makes them a serious concern, especially for organisations operating on shared or peer-to-peer networks.

The affected component is the TeamViewer DEX Client, previously known as the 1E Client, which plays a role in device experience monitoring and content distribution within enterprise environments.

What Was Discovered

According to the security advisory, three separate vulnerabilities were identified in the TeamViewer DEX Client's Content Distribution Service, known as NomadBranch.exe. These issues are tracked as CVE-2025-44016, CVE-2025-12687, and CVE-2025-46266, with severity ratings ranging from high to medium.

All three flaws stem from improper input validation within the service, creating opportunities for attackers on the same network to interfere with its operation.

The Most Serious Risk: Arbitrary Code Execution

The most critical vulnerability, CVE-2025-44016, carries a CVSS 3.1 score of 8.8, placing it firmly in the high-severity category. This flaw allows attackers to bypass file integrity checks by crafting requests that include a valid-looking hash for malicious code.

If exploited, the service could be tricked into treating harmful files as trusted, enabling arbitrary code execution within the NomadBranch service context. Notably, this attack does not require any user interaction and could compromise system confidentiality, integrity, and availability. 

Denial of Service and Data Exposure Risks

The two remaining vulnerabilities are rated as medium severity but are still significant in enterprise environments. CVE-2025-12687 can be triggered using specially crafted commands that cause the NomadBranch service to crash unexpectedly. This results in a denial-of-service condition that disrupts content distribution operations.

Meanwhile, CVE-2025-46266 could allow an attacker to force the service to send data to an arbitrary internal IP address. In the wrong hands, this behaviour could be abused to leak sensitive information to an attacker positioned on the same network.

Who Is Affected

All versions of the TeamViewer DEX Client for Windows prior to version 25.11 are affected, provided the NomadBranch component is enabled. Systems where NomadBranch is disabled by default are not impacted, nor are installations using the TeamViewer Remote or Tensor "DEX Essentials" add-on

Because these vulnerabilities require adjacent network access, they pose the greatest risk in shared LAN environments, such as corporate offices or peer-to-peer network setups.

Updates and Mitigation Steps

TeamViewer has addressed all reported issues in TeamViewer DEX Client version 25.11.0.29. Organisations using the DEX Client are strongly encouraged to prioritise upgrading to this version as soon as possible.

For environments where immediate patching is not feasible, TeamViewer recommends several mitigation measures. These include restricting network access to the Nomad Content Distribution Service, segmenting networks to reduce exposure to adjacent attackers, and closely monitoring logs for suspicious activity related to file validation or unusual NomadBranch behaviour

Final Thoughts

Although no exploitation has been observed so far, vulnerabilities that require only local network access can still be dangerous in enterprise settings. Shared infrastructure and flat networks significantly increase the likelihood of lateral movement once an attacker gains a foothold.

Keeping TeamViewer components updated, reviewing service configurations, and maintaining proper network segmentation remain essential steps in reducing risk and maintaining a secure environment.