CVE-2026-23572 is an improper access control vulnerability classified under CWE-863, affecting TeamViewer Full and Host clients on Windows, macOS, and Linux platforms prior to version 15.74.5. The flaw arises from a bypass of the 'Allow after confirmation' feature, which is designed to require local user confirmation before granting remote session access. An authenticated attacker—who has already gained remote session authentication through valid credentials, Session Link, or Easy Access—can exploit this vulnerability to circumvent the local confirmation step, thereby gaining unauthorized access to the remote system. This bypass undermines the intended security control that prevents unauthorized remote control without explicit local user approval. The vulnerability has a CVSS v3.1 base score of 7.2, indicating high severity, with attack vector being network-based, low attack complexity, requiring high privileges (authenticated user), no user interaction, and impacting confidentiality, integrity, and availability. Although no public exploits are known at this time, the vulnerability poses a significant risk because it allows an authenticated user to escalate privileges and control a system without local user consent, potentially leading to data theft, system manipulation, or denial of service. The affected versions include all TeamViewer Full and Host clients prior to 15.74.5 across major desktop operating systems. The vulnerability was reserved in January 2026 and published in February 2026, indicating recent discovery and disclosure.

For European organizations, the impact of CVE-2026-23572 can be substantial, especially for those relying heavily on TeamViewer for remote support, teleworking, or critical infrastructure management. Unauthorized access prior to local confirmation can lead to exposure of sensitive data, unauthorized system changes, and potential disruption of services. Confidentiality is at risk as attackers can access private information; integrity is compromised through unauthorized modifications; and availability may be affected if attackers disrupt or disable systems. Sectors such as finance, healthcare, manufacturing, and government agencies that use TeamViewer for remote operations are particularly vulnerable. The requirement for prior authentication limits exploitation to insiders or attackers who have obtained valid credentials, but social engineering or credential theft could facilitate this. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly. The vulnerability could also be leveraged in targeted attacks against European organizations with high-value assets or critical operations.

The primary mitigation is to upgrade all TeamViewer Full and Host clients to version 15.74.5 or later, where the vulnerability is patched. Organizations should enforce strict access controls and multi-factor authentication (MFA) for TeamViewer accounts to reduce the risk of credential compromise. Review and tighten remote access policies, limiting the use of 'Allow after confirmation' configurations where possible, or replacing them with more secure alternatives. Monitor remote session logs for unusual activity and implement network segmentation to restrict TeamViewer access to trusted networks and devices. Educate users about phishing and credential theft risks to prevent unauthorized authentication. Consider deploying endpoint detection and response (EDR) solutions to detect anomalous remote access behaviors. Regularly audit TeamViewer configurations and access permissions to ensure compliance with security policies. Finally, maintain an incident response plan that includes procedures for remote access compromise scenarios.