CVE-2026-23563
📋 TL;DR
This vulnerability allows a low-privileged local attacker on Windows systems to delete protected system files by exploiting improper link resolution in TeamViewer DEX - 1E Client. The attacker can craft a malicious RPC control junction or symlink that gets followed during file deletion operations. This affects TeamViewer DEX - 1E Client versions before 26.1 on Windows.
💻 Affected Systems
- TeamViewer DEX - 1E Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Critical system files could be deleted, causing system instability, data loss, or complete system failure requiring reinstallation.
Likely Case
Local attackers could delete configuration files, logs, or application data to disrupt operations or cover tracks after other malicious activities.
If Mitigated
With proper access controls and monitoring, impact is limited to potential deletion of non-critical files accessible to low-privileged users.
🎯 Exploit Status
Exploitation requires local access and knowledge of the system. The vulnerability is in the delete file instruction processing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.1
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX - 1E Client version 26.1 or later from official TeamViewer sources. 2. Install the update following TeamViewer's standard installation procedures. 3. Restart the system to ensure all components are updated.
🔧 Temporary Workarounds
Restrict local access
windowsLimit physical and remote local access to systems running vulnerable TeamViewer versions
Monitor file deletion operations
windowsEnable auditing for file deletion operations in protected directories
auditpol /set /subcategory:"File System" /success:enable /failure:enable
🧯 If You Can't Patch
- Remove TeamViewer DEX - 1E Client from critical systems until patched
- Implement strict access controls to prevent local attackers from reaching vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check TeamViewer DEX - 1E Client version in Control Panel > Programs and Features or via command lineCheck Version:
wmic product where name="TeamViewer DEX - 1E Client" get versionVerify Fix Applied:
Verify installed version is 26.1 or higher and check TeamViewer service is running properly📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in Windows Security logs
- TeamViewer service errors related to file operations
- Access denied errors for protected system files
Network Indicators:
- Local RPC calls to TeamViewer services with file deletion parameters
SIEM Query:
EventID=4663 AND ObjectName CONTAINS "system32" AND ProcessName CONTAINS "TeamViewer"