TV-2024-1008

Insufficient permissions in the “TeamViewer Patch & Asset Management” component

Bulletin ID
TV-2024-1008
Issue Date
11 thg 12, 2024
Last Update
11 thg 12, 2024
Priority
Important
CVSS
7.1 (High)
Assigned CVE
CVE-2024-12363
Affected Products
TeamViewer Remote Management: Patch Management (Windows)

1. Summary

A vulnerability has been discovered in the “TeamViewer Patch & Asset Management” component which could allow a local authenticated user to delete arbitrary files on a Windows system.

2. Vulnerability Details

CVE-ID

Description

Insufficient permissions in the “TeamViewer Patch & Asset Management” component prior to version 24.12 on Windows allows a local authenticated user to delete arbitrary files.

 

The component “TeamViewer Patch & Asset Management” is only installed as part of TeamViewer Remote Management’s Patch Management feature. If the Asset Management feature is not configured or not added to a specific device or group, the affected component will not be installed.

 

To exploit this vulnerability, an attacker first needs to obtain local access to the Windows system.

 

The vulnerability has been fixed with the latest version as listed below and the component will be updated automatically.

CVSS3.1 Score

Base Score 7.1 (High)

CVSS3.1 Vector String

Problem type

3. Affected products and versions

The “TeamViewer Patch & Asset Management” component before version 24.12 is affected. The component is updated automatically, and no further action is needed.

To manually check whether a specific system has been updated, review the version of installed application “TeamViewer Patch & Asset Management” (via Windows: Apps: Installed apps).

Product Versions Info

TeamViewer Patch & Asset Management

< 24.12

Updated automatically

4. Solutions and mitigations

The component is updated automatically, and no further action is needed.