CVE-2026-23571 | THREATINT

Description

A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-RunPkgStatusRequest instruction. Improper input validation allows authenticated attackers with actioner privilege to run elevated arbitrary commands on connected hosts via malicious commands injected into the instruction’s input field. Users of 1E Client version 24.5 or higher are not affected.

PUBLISHED Reserved 2026-01-14 | Published 2026-01-29 | Updated 2026-01-29 | Assigner TV

MEDIUM: 6.8CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-20 Improper Input Validation

Product status

Default status

unaffected

Any version

affected

Credits

Lockheed Martin Red Team finder

References

www.teamviewer.com/...enter/security-bulletins/tv-2026-1002/

cve.org (CVE-2026-23571)

nvd.nist.gov (CVE-2026-23571)

Download JSON