CVE-2026-23563

Medium

Published: 29 January 2026

Published

29 January 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 5.7 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H

EPSS Score 0.0004 11.0th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23563 is a medium-severity Link Following (CWE-59) vulnerability in Teamviewer Digital Employee Experience. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to File Deletion (T1070.004) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthorized deletion of protected system files via symlink/junction abuse, directly facilitating file deletion (T1070.004) and data destruction (T1485).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Link Resolution Before File Access (invoked by 1E‑Explorer‑TachyonCore‑DeleteFileByPath instruction) in TeamViewer DEX - 1E Client before version 26.1 on Windows allows a low‑privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that…

is followed when the delete instruction executes.

Deeper analysisAI

CVE-2026-23563 is an Improper Link Resolution Before File Access vulnerability in TeamViewer DEX - 1E Client versions before 26.1 on Windows. The issue arises in the 1E-Explorer-TachyonCore-DeleteFileByPath instruction, where the software follows crafted RPC control junctions or symlinks without proper resolution checks prior to file access, enabling deletion of protected system files. Published on 2026-01-29, it is rated with a CVSS v3.1 base score of 5.7 (AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H) and maps to CWE-59.

A low-privileged local attacker can exploit this vulnerability by crafting an RPC control junction or symlink that is followed when the delete instruction executes, resulting in the deletion of protected system files. Although the description specifies a low-privileged local attacker, the CVSS vector indicates requirements for high privileges (PR:H), network attack vector (AV:N) with high complexity (AC:H), and user interaction (UI:R), leading to high impacts on integrity (I:H) and availability (A:H) with no confidentiality impact (C:N).

TeamViewer has published security bulletin TV-2026-1002 at https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/, which addresses the vulnerability.

Details

CWE(s): CWE-59

Affected Products

teamviewer

digital employee experience

≤ 26.1

CVEs Like This One

CVE-2026-23569Same product: Microsoft Windows

CVE-2026-23568Same product: Microsoft Windows

CVE-2025-44016Same product: Microsoft Windows

CVE-2025-15313Shared CWE-59

CVE-2025-15314Shared CWE-59

CVE-2025-60710Same vendor: Microsoft

CVE-2025-49739Same vendor: Microsoft

CVE-2025-25008Same vendor: Microsoft

CVE-2026-20941Same vendor: Microsoft

CVE-2025-21391Same vendor: Microsoft

References

https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/
Vendor Advisory · psirt@teamviewer.com