CVE-2026-23571 is a command injection vulnerability classified under CWE-20 (Improper Input Validation) found in TeamViewer DEX, formerly known as 1E DEX. The flaw exists specifically in the 1E-Nomad-RunPkgStatusRequest instruction, where insufficient validation of input allows an authenticated attacker with actioner privileges to inject and execute arbitrary commands on connected hosts with elevated permissions. This vulnerability leverages the ability to manipulate the instruction’s input field to run malicious commands, potentially compromising the confidentiality, integrity, and availability of affected systems. The vulnerability affects all versions prior to TeamViewer DEX 24.5; users of version 24.5 or higher are not vulnerable. The CVSS v3.1 score is 6.8, reflecting a medium severity rating, with attack vector being network-based, low attack complexity, requiring high privileges and user interaction, and resulting in high impact across all security objectives. No public exploits or active exploitation campaigns have been reported to date. The vulnerability is significant in environments where TeamViewer DEX is used for remote management, especially in enterprise and critical infrastructure settings, as it could allow lateral movement or privilege escalation if exploited. The lack of a patch link suggests that users should upgrade to version 24.5 or later to remediate the issue.

For European organizations, this vulnerability poses a considerable risk, particularly for enterprises and critical infrastructure sectors that rely on TeamViewer DEX for remote management and automation. Successful exploitation could lead to unauthorized command execution with elevated privileges, enabling attackers to compromise sensitive data, disrupt operations, or deploy further malware. The impact on confidentiality, integrity, and availability is high, potentially resulting in data breaches, system downtime, and loss of trust. Given the requirement for authenticated access with actioner privileges, insider threats or compromised credentials could facilitate exploitation. Organizations with extensive remote management deployments or those in sectors such as finance, healthcare, energy, and government are at heightened risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk of future attacks, especially as threat actors often target widely used remote access tools.

To mitigate this vulnerability, European organizations should immediately verify their TeamViewer DEX version and upgrade to version 24.5 or later, which is confirmed not vulnerable. Until upgrades are completed, restrict actioner privileges strictly to trusted personnel and implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Monitor logs for unusual command execution patterns related to the 1E-Nomad-RunPkgStatusRequest instruction. Employ network segmentation to limit the exposure of hosts managed via TeamViewer DEX. Conduct regular audits of user privileges and access controls to ensure least privilege principles are enforced. Additionally, implement endpoint detection and response (EDR) solutions capable of detecting anomalous command injection or privilege escalation activities. Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.