CVE-2026-23566
📋 TL;DR
This vulnerability allows attackers on the same network to manipulate log files in TeamViewer DEX Client's Content Distribution Service by sending crafted UDP packets. This compromises log integrity and non-repudiation capabilities. Organizations using vulnerable versions of TeamViewer DEX Client on Windows are affected.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client) - Content Distribution Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could erase evidence of compromise, manipulate forensic data, or inject false log entries to mislead investigations and hide other malicious activities.
Likely Case
Log tampering that undermines audit trails and compliance requirements, potentially hiding unauthorized access or configuration changes.
If Mitigated
Limited to log manipulation without direct system compromise, but still impacts forensic capabilities and compliance.
🎯 Exploit Status
Exploitation requires network adjacency but no authentication, making it relatively straightforward for attackers on the same network segment.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 26.1 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 26.1 or later from official TeamViewer sources. 2. Install the update following standard installation procedures. 3. Restart the system or service to ensure the patch is fully applied.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict UDP traffic to NomadBranch.exe by implementing network segmentation or firewall rules to limit access to trusted hosts only.
Example Windows Firewall rule: netsh advfirewall firewall add rule name="Block NomadBranch UDP" dir=in action=block protocol=UDP localport=xxxx program="C:\Path\To\NomadBranch.exe"
Replace xxxx with actual port used by NomadBranch.exe
Log File Protection
windowsApply strict file permissions to the Nomad Branch.log file to prevent unauthorized modifications.
icacls "C:\Path\To\Nomad Branch.log" /inheritance:r /grant:r "SYSTEM:(F)" /grant:r "Administrators:(F)" /deny "Everyone:(W)"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running vulnerable TeamViewer DEX Client from untrusted network segments.
- Monitor and alert on unexpected modifications to Nomad Branch.log files using file integrity monitoring solutions.
🔍 How to Verify
Check if Vulnerable:
Check the version of TeamViewer DEX Client installed. If version is below 26.1, the system is vulnerable.Check Version:
Check TeamViewer DEX Client version through the application interface or by examining the installed program version in Windows Control Panel > Programs and Features.Verify Fix Applied:
Confirm that TeamViewer DEX Client version is 26.1 or higher and verify that NomadBranch.exe is no longer accepting unauthorized UDP log injections.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to Nomad Branch.log file timestamps or content
- Log entries that don't match normal application behavior patterns
Network Indicators:
- Unusual UDP traffic to the port used by NomadBranch.exe
- UDP packets with crafted payloads targeting the log service
SIEM Query:
Example: source="Nomad Branch.log" AND (event_type="modification" OR event_type="injection") OR destination_port="[NomadBranch_port]" AND protocol="UDP" AND suspicious_payload=*