Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                  Note d'Information No. 2025/VULN062

_____________________________________________________________________

DATE                : 31/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows running TeamViewer Full Client,
                                 TeamViewer Host.

=====================================================================
https://www.teamviewer.com/fr/resources/trust-center/security-bulletins/tv-2025-1001/
_____________________________________________________________________

Improper Neutralization of Argument Delimiters in TeamViewer Clients


Bulletin ID
    TV-2025-1001
Issue Date
    28 janv. 2025
Last Update
    28 janv. 2025
Priorité
    élevé
CVSS
    7.8 (High)
Assigned CVE
    CVE-2025-0065

Affected Products
    TeamViewer Remote
    TeamViewer Tensor


1. Summary

A vulnerability has been discovered in the TeamViewer Clients for
Windows which allows local privilege escalation on a Windows system.

2. Vulnerability Details

CVE-ID    CVE-2025-0065

Description
        
Improper Neutralization of Argument Delimiters in the
TeamViewer_service.exe component of TeamViewer Full Client & Host
prior version 15.62 (and additional versions listed below) for Windows
allows an attacker with local unprivileged access on a Windows system
to elevate privileges via argument injection.

To exploit this vulnerability, an attacker needs local access to the
Windows system.

We have no indication that this vulnerability has been or is being
exploited in the wild.

The vulnerability has been fixed with version 15.62 and additional
versions listed below. We recommend updating to the latest available
version.

CVSS3.1 Score            Base Score 7.8 (High)

CVSS3.1 Vector String    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem type             CWE-88: Improper Neutralization of Argument
                          Delimiters in a Command ('Argument Injection')


3. Affected products and versions


Product         Versions         Info

TeamViewer Full Client (Windows)   < 15.62    Download available

TeamViewer Full Client (Windows)   < 14.7.48799   Download available

TeamViewer Full Client (Windows)   < 13.2.36226   Download available

TeamViewer Full Client (Windows)   < 12.0.259319  Download available

TeamViewer Full Client (Windows)   < 11.0.259318  Download available

TeamViewer Host (Windows)          < 15.62        Download available

TeamViewer Host (Windows)          < 14.7.48799   Download available

TeamViewer Host (Windows)          < 13.2.36226   Download available

TeamViewer Host (Windows)          < 12.0.259319  Download available

TeamViewer Host (Windows)          < 11.0.259318  Download available


4. Solutions and mitigations

Update to the latest version (15.62 or the latest version available)


5. Acknowledgments

Anonymous of Trend Micro Zero Day Initiative

        
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================