CVE-2026-23565
📋 TL;DR
A vulnerability in TeamViewer DEX Client's Content Distribution Service (NomadBranch.exe) allows attackers on adjacent networks to crash the service via crafted requests, causing denial-of-service. This affects Windows systems running TeamViewer DEX Client (formerly 1E Client) Content Distribution Service versions prior to 26.1. The service disruption prevents content distribution functionality until restarted.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client) Content Distribution Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of content distribution services across the organization, halting software deployments, updates, and configuration management until services are manually restarted.
Likely Case
Intermittent service outages affecting specific endpoints or network segments, requiring IT intervention to restart NomadBranch.exe processes.
If Mitigated
Minimal impact with quick detection and automated recovery processes in place, though some brief service interruption may occur.
🎯 Exploit Status
Crafted requests can be sent without authentication from adjacent network positions. The vulnerability is a NULL pointer dereference (CWE-476) that causes process termination.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.1 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 26.1 or later from official sources. 2. Install the update on all affected systems. 3. Restart the Content Distribution Service or reboot systems to ensure the updated NomadBranch.exe is running.
🔧 Temporary Workarounds
Network Segmentation
allIsolate systems running NomadBranch.exe from untrusted network segments to prevent adjacent network attacks.
Service Monitoring and Auto-restart
windowsConfigure monitoring to detect NomadBranch.exe crashes and automatically restart the service.
sc failure "NomadBranch" reset= 86400 actions= restart/5000/restart/5000/restart/5000
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running the vulnerable service from potential attackers on adjacent networks.
- Deploy monitoring and alerting for NomadBranch.exe process crashes with rapid response procedures to manually restart services.
🔍 How to Verify
Check if Vulnerable:
Check the version of TeamViewer DEX Client installed. If NomadBranch.exe version is below 26.1, the system is vulnerable.Check Version:
wmic datafile where name="C:\\Program Files\\TeamViewer\\DEX Client\\NomadBranch.exe" get versionVerify Fix Applied:
Verify that NomadBranch.exe version is 26.1 or higher and monitor for successful service operation without crashes.📡 Detection & Monitoring
Log Indicators:
- Windows Application Event Log entries showing NomadBranch.exe crashes (Event ID 1000)
- Service termination events in System logs
Network Indicators:
- Unusual network traffic patterns to/from systems running NomadBranch.exe on port 8080 (default)
- Multiple connection attempts followed by service unavailability
SIEM Query:
source="windows" AND (event_id=1000 AND process_name="NomadBranch.exe") OR (event_id=7036 AND service_name="NomadBranch")