CVE-2026-23563
Published: 29 January 2026
Summary
CVE-2026-23563 is a medium-severity Link Following (CWE-59) vulnerability in Teamviewer Digital Employee Experience. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-23563 is an Improper Link Resolution Before File Access vulnerability in TeamViewer DEX - 1E Client versions before 26.1 on Windows. The issue arises in the 1E-Explorer-TachyonCore-DeleteFileByPath instruction, where the software follows crafted RPC control junctions or symlinks without proper resolution checks prior to file access, enabling deletion of protected system files. Published on 2026-01-29, it is rated with a CVSS v3.1 base score of 5.7 (AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H) and maps to CWE-59.
A low-privileged local attacker can exploit this vulnerability by crafting an RPC control junction or symlink that is followed when the delete instruction executes, resulting in the deletion of protected system files. Although the description specifies a low-privileged local attacker, the CVSS vector indicates requirements for high privileges (PR:H), network attack vector (AV:N) with high complexity (AC:H), and user interaction (UI:R), leading to high impacts on integrity (I:H) and availability (A:H) with no confidentiality impact (C:N).
TeamViewer has published security bulletin TV-2026-1002 at https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/, which addresses the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4980
Vulnerability details
Improper Link Resolution Before File Access (invoked by 1E‑Explorer‑TachyonCore‑DeleteFileByPath instruction) in TeamViewer DEX - 1E Client before version 26.1 on Windows allows a low‑privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that…
more
is followed when the delete instruction executes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthorized deletion of protected system files via symlink/junction abuse, directly facilitating file deletion (T1070.004) and data destruction (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces proper access checks on the DeleteFileByPath RPC instruction so that malicious symlinks/junctions cannot be followed to delete protected files.
Requires validation of file-path inputs to detect and reject crafted symlinks or junctions before the delete operation is performed.
Limits the privileges of the TachyonCore service so that even a successful symlink traversal cannot delete arbitrary protected system files.