CVE-2026-23570
📋 TL;DR
This vulnerability allows an attacker on the same network to send crafted UDP Sync commands to TeamViewer DEX Client's Content Distribution Service, enabling manipulation of log timestamps. This compromises log integrity and forensic analysis capabilities. Organizations using TeamViewer DEX Client (formerly 1E Client) versions prior to 26.1 on Windows are affected.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client) - Content Distribution Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate timestamps to hide malicious activities, disrupt forensic investigations, create false alibis for attacks, and potentially chain with other vulnerabilities by obscuring attack timelines.
Likely Case
Log timestamp manipulation leading to confusion during incident response, difficulty correlating events across systems, and reduced reliability of audit trails for compliance purposes.
If Mitigated
Minimal operational impact with preserved log integrity through proper network segmentation and monitoring, though forensic analysis might still be slightly complicated.
🎯 Exploit Status
Exploitation requires network adjacency and ability to send crafted UDP packets to the vulnerable service. No authentication is required to send the malicious Sync commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.1 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 26.1 or later from official TeamViewer sources. 2. Install the update following TeamViewer's standard deployment procedures. 3. Restart affected systems to ensure the updated NomadBranch.exe is running.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict UDP access to NomadBranch.exe service to trusted systems only using firewall rules.
New-NetFirewallRule -DisplayName "Block NomadBranch UDP" -Direction Inbound -Protocol UDP -LocalPort [PORT_NUMBER] -Action Block
Disable Content Distribution Service
windowsTemporarily disable the vulnerable NomadBranch.exe service if not required for operations.
Stop-Service -Name "NomadBranch"
Set-Service -Name "NomadBranch" -StartupType Disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running vulnerable TeamViewer DEX Client from untrusted networks.
- Deploy network monitoring to detect and alert on suspicious UDP traffic patterns targeting the Content Distribution Service port.
🔍 How to Verify
Check if Vulnerable:
Check the version of TeamViewer DEX Client installed. If version is below 26.1 and NomadBranch.exe is running, the system is vulnerable.Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*TeamViewer DEX*"} | Select-Object Name, VersionVerify Fix Applied:
Confirm TeamViewer DEX Client version is 26.1 or higher and verify NomadBranch.exe process is running the updated version.📡 Detection & Monitoring
Log Indicators:
- Unusual timestamp patterns in TeamViewer DEX logs
- Log entries with nonsensical datetime prefixes
- Gaps or inconsistencies in log sequencing
Network Indicators:
- Unusual UDP traffic to port used by NomadBranch.exe
- Multiple UDP Sync commands from unexpected sources
- UDP packets with malformed or crafted payloads
SIEM Query:
source="TeamViewer_DEX" AND (timestamp_format_error OR datetime_anomaly) OR dest_port=[NOMAD_PORT] AND protocol=UDP AND packet_size_anomaly