Description
A command
injection vulnerability was discovered in TeamViewer DEX Platform On-Premises
(former 1E DEX Platform On-Premises) prior to version 9.2. Improper input validation allows
authenticated users with at least questioner privileges to inject commands in specific
instructions. Exploitation could lead to execution of elevated commands on
devices connected to the platform.
Published: 2026-05-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in TeamViewer DEX Platform On‑Premises caused by missing server‑side validation of instruction input. Authenticated users with at least questioner privileges can inject commands into specific instructions, and if successfully exploited, the attacker can execute elevated commands on devices connected to the platform.

Affected Systems

TeamViewer DEX Platform On‑Premises versions prior to 9.2 are affected; version 9.2 and later contain the fix.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires authentication and the presence of a questioner‑level user, making it an internal threat vector. An attacker with the required privileges could inject commands that execute with elevated privileges on connected devices.

Generated by OpenCVE AI on May 13, 2026 at 18:51 UTC.

Remediation

Vendor Solution

Update to the latest version (v9.2 or the latest available version).

OpenCVE Recommended Actions

  • Upgrade TeamViewer DEX Platform On‑Premises to version 9.2 or later.
  • Restrict the use of questioner privileges to only essential personnel and audit role assignments.
  • Enable logging and monitor for anomalous instruction execution attempts to detect potential exploitation.

Generated by OpenCVE AI on May 13, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Teamviewer
Teamviewer dex
Vendors & Products Teamviewer
Teamviewer dex

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability was discovered in TeamViewer DEX Platform On-Premises (former 1E DEX Platform On-Premises) prior to version 9.2. Improper input validation allows authenticated users with at least questioner privileges to inject commands in specific instructions. Exploitation could lead to execution of elevated commands on devices connected to the platform.
Title Lack of Server-side validation in Instruction Input in TeamViewer DEX Platform (On-Premises)
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Teamviewer Dex
cve-icon MITRE

Status: PUBLISHED

Assigner: TV

Published:

Updated: 2026-05-13T17:45:24.249Z

Reserved: 2026-02-18T14:30:36.890Z

Link: CVE-2026-2695

cve-icon Vulnrichment

Updated: 2026-05-13T17:45:18.243Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T17:16:19.453

Modified: 2026-05-13T18:10:51.227

Link: CVE-2026-2695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:12Z

Weaknesses