CVE-2026-23564 Overview
CVE-2026-23564 is a cleartext transmission vulnerability in the TeamViewer Digital Employee Experience (DEX) Client, formerly known as the 1E Client. The flaw resides in the Content Distribution Service component, NomadBranch.exe, on Windows. An attacker on an adjacent network can force UDP traffic that should be encrypted to be transmitted in cleartext. This exposes sensitive information that traverses the content distribution channel. The vulnerability is classified under CWE-319: Cleartext Transmission of Sensitive Information. TeamViewer addressed the issue in version 26.1 and published TeamViewer Security Bulletin TV-2026-1001.
Critical Impact
Adjacent network attackers can intercept sensitive data carried over UDP by downgrading encrypted communications to cleartext.
Affected Products
- TeamViewer Digital Employee Experience (DEX) Client (former 1E Client) prior to version 26.1
- TeamViewer Content Distribution Service (NomadBranch.exe)
- Microsoft Windows platforms running the affected DEX Client
Discovery Timeline
- 2026-01-29 - CVE-2026-23564 published to the National Vulnerability Database
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2026-23564
Vulnerability Analysis
The TeamViewer DEX Client uses the Content Distribution Service (NomadBranch.exe) to coordinate content delivery between endpoints and distribution points. This service exchanges UDP traffic that should be protected by encryption. Under conditions reachable from the adjacent network, the service transmits this UDP traffic in cleartext. An attacker positioned on the same broadcast domain or local network segment can passively capture the traffic. Captured content may include configuration data, distribution metadata, or other sensitive fields normally protected on the wire.
The vulnerability does not require authentication or user interaction. The impact is limited to confidentiality, with no direct integrity or availability impact. Because exposure depends on local network adjacency, exploitation is constrained to attackers with foothold or presence on the same network segment as the affected client.
Root Cause
The root cause is improper enforcement of the encryption requirement for outbound UDP traffic in NomadBranch.exe. When specific conditions occur, the service falls back to or initiates communication without applying the expected cryptographic protection. This corresponds to [CWE-319], the transmission of sensitive information without encryption.
Attack Vector
An attacker must be on the adjacent network, such as the same VLAN, Wi-Fi network, or local subnet, as a vulnerable client. The attacker passively captures UDP packets emitted by NomadBranch.exe. No credentials, privileges, or user interaction are required. Active man-in-the-middle techniques such as ARP spoofing can extend the attacker's visibility, but passive sniffing within the broadcast domain is sufficient to recover cleartext payloads. See the TeamViewer Security Bulletin TV-2026-1001 for vendor-confirmed details.
Detection Methods for CVE-2026-23564
Indicators of Compromise
- Unexpected cleartext UDP traffic originating from hosts running NomadBranch.exe on TeamViewer DEX Client versions prior to 26.1
- Network captures showing TeamViewer or 1E Nomad protocol fields visible without encryption on standard Nomad UDP ports
- Presence of vulnerable DEX Client builds reported by software inventory tools
Detection Strategies
- Audit endpoint inventories for installed TeamViewer DEX Client versions and flag any build earlier than 26.1
- Run targeted packet captures on subnets containing DEX Clients and inspect UDP flows associated with NomadBranch.exe for plaintext content
- Correlate process telemetry from NomadBranch.exe with network connection logs to identify hosts emitting unencrypted distribution traffic
Monitoring Recommendations
- Monitor for new or unauthorized devices joining VLANs that host DEX Client endpoints, since exploitation requires adjacent network access
- Alert on ARP cache anomalies, rogue DHCP, or port mirroring on segments where DEX Clients operate
- Track installed software versions over time to confirm rollout of the 26.1 update across the fleet
How to Mitigate CVE-2026-23564
Immediate Actions Required
- Upgrade the TeamViewer DEX Client (former 1E Client) to version 26.1 or later on all Windows endpoints
- Inventory all systems running NomadBranch.exe and prioritize patching on segments shared with untrusted devices
- Review network segmentation to limit which hosts share a broadcast domain with DEX Clients
Patch Information
TeamViewer has released DEX Client version 26.1, which remediates CVE-2026-23564 by enforcing encryption on UDP traffic handled by the Content Distribution Service. Administrators should consult TeamViewer Security Bulletin TV-2026-1001 for the authoritative fixed-version details and download instructions.
Workarounds
- Restrict adjacent network access by isolating DEX Client endpoints on dedicated VLANs with strict access control lists
- Enforce 802.1X authentication and wired/wireless port security to prevent unauthorized devices from sniffing local UDP traffic
- Where feasible, route content distribution traffic over network paths protected by IPsec or equivalent link-layer encryption until patching completes
# Configuration example: query installed DEX Client version on Windows
Get-CimInstance -ClassName Win32_Product | \
Where-Object { $_.Name -like "*1E Client*" -or $_.Name -like "*TeamViewer DEX*" } | \
Select-Object Name, Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
