Security Bulletins

TV-2026-1002

Improper Input and Privilege Handling for Authenticated Users in TeamViewer DEX (former 1E DEX)

公告栏 ID
TV-2026-1002
Issue Date
2026年1月29日
最后更新时间
2026年1月29日
优先级
CVSS
Up to 6.8 (Medium)
受影响的产品
CVE-2026-23563, CVE-2026-23571
受影响的产品
TeamViewer DEX (formerly 1E DEX)

1. Summary

Command Injection and Privilege Escalation vulnerabilities were identified in TeamViewer DEX (former 1E DEX).

The vulnerabilities have been fixed with new versions listed below.

At this time, there is no indication that these vulnerabilities have been exploited in the wild.

2. Vulnerability Details

2.1 Privilege escalation in TeamViewer DEX - DeleteFileByPath instruction

CVE-ID

CVE-2026-23563

Description

Improper Link Resolution Before File Access (invoked by 1E‑Explorer‑TachyonCore‑DeleteFileByPath instruction) in TeamViewer DEX - 1E Client before version 26.1 on Windows allows a low‑privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that is followed when the delete instruction executes.

 

The vulnerability has been fixed with 1E client version 26.1. We recommend updating to the latest available version of the 1E client.

CVSS3.1 Score

5.7 (Medium)

CVSS3.1 Vector String

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H

Problem type

CWE-59: Improper Link Resolution Before File Access (‘Link Following’)

Affected Products

1E Client

Fixed versions

1E Client 26.1 (or higher)

2.2 Command Injection in 1E-Nomad-RunPkgStatusRequest Instruction in TeamViewer DEX

CVE-ID

CVE-2026-23571

Description

A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-RunPkgStatusRequest instruction. Improper input validation allows authenticated attackers with actioner privilege to run elevated arbitrary commands on connected hosts via malicious commands injected into the instruction’s input field.

 

Users of the 1E Client version 24.5 or higher are not affected. We recommend updating to the latest 1E Client version (26.1 or above).

 

The affected instruction will no longer be shipped with DEX Platform versions 26.1 and above. We recommend deleting the instruction from tenants created before v26.1. and On-premise installations.

CVSS3.1 Score

6.8 (Medium)

CVSS3.1 Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Problem type

CWE-20: Improper Input Validation

Affected Products

TeamViewer (1E) DEX - 1E-Nomad-RunPkgStatusRequest instruction

Fixed versions

1E Client 24.5 (or higher)

3. Solutions and mitigations

Vulnerability
Solution/Mitigation

CVE-2026-23563: Privilege escalation on TeamViewer DEX via DeleteFileByPath instruction

Update to 1E Client version 26.1 or above

CVE-2026-23571: Command Injection in 1E-Nomad-RunPkgStatusRequest Instruction
  • Update to 1E Client v26.1 or above. 
  • Remove the instruction 1E-Nomad-RunPkgStatusRequest from DEX Portal

4. Acknowledgments

We would like to thank the Lockheed Martin Red Team for the discovery and responsible disclosure.