Cyber Resilience

CVE-2026-23563

Medium

Published: 29 January 2026

Published
29 January 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0005 15.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23563 is a medium-severity Link Following (CWE-59) vulnerability in Teamviewer Digital Employee Experience. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23563 is an Improper Link Resolution Before File Access vulnerability in TeamViewer DEX - 1E Client versions before 26.1 on Windows. The issue arises in the 1E-Explorer-TachyonCore-DeleteFileByPath instruction, where the software follows crafted RPC control junctions or symlinks without proper resolution checks prior to file access, enabling deletion of protected system files. Published on 2026-01-29, it is rated with a CVSS v3.1 base score of 5.7 (AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H) and maps to CWE-59.

A low-privileged local attacker can exploit this vulnerability by crafting an RPC control junction or symlink that is followed when the delete instruction executes, resulting in the deletion of protected system files. Although the description specifies a low-privileged local attacker, the CVSS vector indicates requirements for high privileges (PR:H), network attack vector (AV:N) with high complexity (AC:H), and user interaction (UI:R), leading to high impacts on integrity (I:H) and availability (A:H) with no confidentiality impact (C:N).

TeamViewer has published security bulletin TV-2026-1002 at https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/, which addresses the vulnerability.

EU & UK References

Vulnerability details

Improper Link Resolution Before File Access (invoked by 1E‑Explorer‑TachyonCore‑DeleteFileByPath instruction) in TeamViewer DEX - 1E Client before version 26.1 on Windows allows a low‑privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that…

more

is followed when the delete instruction executes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Vulnerability enables unauthorized deletion of protected system files via symlink/junction abuse, directly facilitating file deletion (T1070.004) and data destruction (T1485).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23569Same product: Microsoft Windows
CVE-2026-23568Same product: Microsoft Windows
CVE-2025-44016Same product: Microsoft Windows
CVE-2025-15313Shared CWE-59
CVE-2025-15314Shared CWE-59
CVE-2025-21419Same vendor: Microsoft
CVE-2026-25187Same vendor: Microsoft
CVE-2025-29795Same vendor: Microsoft
CVE-2025-60710Same vendor: Microsoft
CVE-2025-21420Same vendor: Microsoft

Affected Assets

teamviewer
digital employee experience
≤ 26.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces proper access checks on the DeleteFileByPath RPC instruction so that malicious symlinks/junctions cannot be followed to delete protected files.

prevent

Requires validation of file-path inputs to detect and reject crafted symlinks or junctions before the delete operation is performed.

prevent

Limits the privileges of the TachyonCore service so that even a successful symlink traversal cannot delete arbitrary protected system files.

References