CVE-2026-23571 – A command injection vulnerability in TeamViewer... (How to Fix)

Q: What is the severity of CVE-2026-23571?

CVE-2026-23571 has a CVSS score of 6.8 (MEDIUM). A command injection vulnerability in TeamViewer DEX (formerly 1E DEX) allows authenticated attackers with actioner privilege to execute arbitrary commands with elevated privileges on connected hosts. The vulnerability exists in the 1E-Nomad-RunPkgStatusRequest instruction due to improper input validation. Users of 1E Client version 24.5 or higher are not affected.

📋 TL;DR

A command injection vulnerability in TeamViewer DEX (formerly 1E DEX) allows authenticated attackers with actioner privilege to execute arbitrary commands with elevated privileges on connected hosts. The vulnerability exists in the 1E-Nomad-RunPkgStatusRequest instruction due to improper input validation. Users of 1E Client version 24.5 or higher are not affected.

💻 Affected Systems

Products:

TeamViewer DEX (formerly 1E DEX)

Versions: Versions below 24.5

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where the 1E Client is installed and configured with actioner privileges. Requires authenticated access with actioner privilege level.

📦 What is this software?

Digital Employee Experience by Teamviewer

View all CVEs affecting Digital Employee Experience →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of connected hosts, allowing attackers to install malware, steal data, pivot to other systems, or disrupt operations.

🟠

Likely Case

Privilege escalation leading to unauthorized system access, data exfiltration, or deployment of ransomware on vulnerable endpoints.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are in place to detect anomalous command execution.

🌐 Internet-Facing: LOW - Exploitation requires authenticated access with actioner privileges, making direct internet exploitation unlikely without prior compromise.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts with actioner privileges can exploit this to gain elevated access across the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Once authenticated with actioner privileges, exploitation is straightforward via command injection.

Exploitation requires authenticated access with actioner privileges, making it an insider threat or post-compromise attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1E Client version 24.5 or higher

Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/

Restart Required: Yes

Instructions:

1. Download and install 1E Client version 24.5 or higher from the official TeamViewer portal. 2. Restart the affected systems to apply the update. 3. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Restrict Actioner Privileges

all

Limit the number of users with actioner privileges to only those who absolutely need them for their role.

Network Segmentation

all

Segment networks to limit the blast radius if exploitation occurs, preventing lateral movement.

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual command execution patterns in logs.
Deploy endpoint detection and response (EDR) solutions to detect and block malicious command injection attempts.

🔍 How to Verify

Check if Vulnerable:

Check the installed version of 1E Client on endpoints. If below 24.5, the system is vulnerable.

Check Version:

On Windows: '1E-Client.exe --version' or check in Programs and Features. On Linux: '1e-client --version' or check package manager.

Verify Fix Applied:

Confirm that 1E Client version is 24.5 or higher after applying the update.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution via 1E-Nomad-RunPkgStatusRequest instruction
Multiple failed authentication attempts followed by successful actioner login

Network Indicators:

Anomalous outbound connections from endpoints after command execution
Unexpected network traffic to command and control servers

SIEM Query:

source="1e-client.log" AND (event="RunPkgStatusRequest" AND command="*;*" OR command="*|*" OR command="*&*")

📊 Metadata

CVE ID: CVE-2026-23571

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20

EPSS Score: 0.11% exploit probability (29.5th percentile)

Published: January 29, 2026

Last Updated: February 11, 2026

🔗 References

https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23571, you might also want to check these: