CVE-2025-44016

High

Published: 11 December 2025

Published

11 December 2025

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in TeamViewer DEX Client (former 1E client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to bypass file integrity validation via a crafted request. By providing a valid hash for a malicious file,…

an attacker can cause the service to incorrectly validate and process the file as trusted, enabling arbitrary code execution under the Nomad Branch service context.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper input validation (CWE-20) that enables crafted requests to bypass file integrity checks in the Content Distribution Service.

SI-7 Software, Firmware, and Information Integrity good match

prevent

Ensures robust verification of software and information integrity using hashes or other methods, countering the flawed file validation logic exploited in this CVE.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws like this file integrity bypass, aligning with the vendor's patch to version 25.11.

Security SummaryAI

CVE-2025-44016 is a vulnerability in the TeamViewer DEX Client, formerly known as the 1E client, specifically affecting the Content Distribution Service component (NomadBranch.exe) in versions prior to 25.11 on Windows. The flaw allows attackers to bypass file integrity validation through a crafted request that supplies a valid hash for a malicious file. This causes the service to incorrectly treat the file as trusted, leading to its processing and enabling arbitrary code execution under the context of the Nomad Branch service. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-20 (Improper Input Validation).

Attackers on an adjacent network (AV:A) can exploit this vulnerability with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability (C:I:A:H), culminating in arbitrary code execution within the Nomad Branch service context. This could allow attackers to execute malicious payloads distributed via the content service, potentially compromising systems involved in file distribution workflows.

The TeamViewer security bulletin (TV-2025-1005) at https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/ details mitigation steps, with updating to version 25.11 or later addressing the issue by fixing the file integrity validation logic.

Details

CWE(s): CWE-20 NVD-CWE-noinfo

Affected Products

teamviewer

digital employee experience

≤ 25.11

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary code execution by exploiting a remote content distribution service (NomadBranch.exe) over an adjacent network (AV:A) through improper input validation and hash bypass, directly mapping to Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/
Vendor Advisory · psirt@teamviewer.com