CVE-2026-23564
📋 TL;DR
A vulnerability in TeamViewer DEX Client's Content Distribution Service (NomadBranch.exe) allows attackers on adjacent networks to force encrypted UDP traffic to be sent in cleartext. This affects Windows systems running versions prior to 26.1, potentially exposing sensitive information transmitted over the network.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client) Content Distribution Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all sensitive data transmitted via the Content Distribution Service, including credentials, configuration data, and proprietary information, to adjacent network attackers.
Likely Case
Partial disclosure of sensitive information such as configuration details, file transfer metadata, and potentially authentication tokens to attackers on the same network segment.
If Mitigated
Limited exposure of non-critical metadata with proper network segmentation and monitoring in place.
🎯 Exploit Status
Exploitation requires adjacent network access but no authentication. The vulnerability involves forcing encrypted traffic to cleartext, which is relatively straightforward for network-based attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.1 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 26.1 or later from official sources. 2. Install the update following standard installation procedures. 3. Restart affected systems to ensure the updated NomadBranch.exe service is running.
🔧 Temporary Workarounds
Network Segmentation
allIsolate TeamViewer DEX Client systems from untrusted network segments to prevent adjacent network attacks.
Service Disablement
windowsTemporarily disable the Content Distribution Service if not required for operations.
sc stop NomadBranch
sc config NomadBranch start= disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TeamViewer DEX Client systems from potential attackers.
- Monitor network traffic for cleartext UDP communications on port 65000 (default NomadBranch port) and alert on suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check the version of TeamViewer DEX Client installed. If version is below 26.1, the system is vulnerable.Check Version:
Check TeamViewer DEX Client version through the application interface or examine installed programs in Windows Control Panel.Verify Fix Applied:
Verify that TeamViewer DEX Client version is 26.1 or higher and that NomadBranch.exe service is running the updated version.📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts of NomadBranch.exe
- Security logs showing network manipulation attempts
Network Indicators:
- Cleartext UDP traffic on port 65000 where encrypted traffic was expected
- Unusual network patterns from systems running TeamViewer DEX Client
SIEM Query:
source="network_traffic" dest_port=65000 protocol=UDP payload_contains_plaintext=true