High-risk vulnerability for TeamViewer has been rectified

August 23, 2020
microsoft teamviewer vulnerability

A reportedly high-risk vulnerability of TeamViewer was recently discovered targeting Windows users, which, if exploited, could result in Cybercriminals stealing your system password and further exploitations.

This attack does not require interaction from their victim as it can perform automatically.


About TeamViewer

TeamViewer is a software application that is used for remote control, desktop sharing, online meetings, and file transfers between hosts. This application can run in Windows, macOS, Linux, Android, Chrome OS, Linux, Windows RT, Windows Phone 8, and Blackberry Operating Systems.

The software usage for 2020 has skyrocketed in demand caused by COVID-19 that shifted millions of workers to work remotely.

The vulnerability that was recently discovered classified as CVE-2020-13699 is due to the TeamViewer Windows application’s improper quoting. It is custom URI handlers that could be exploited by Cybercriminals.

This weakness in TeamViewer’s URI Scheme that was discovered by Jeffrey Hofmann, a Security Engineer from a Private Security firm.


How does CVE-2020-13699 work? 

A Cybercriminal that wants to exploit this vulnerability will use a maliciously crafted web page embedded with an iframe, an HTML document embedded inside another HTML document on a website. 

Usually disguised, the iframe will be loaded as “teamviewer10: a URI scheme resulting in the launch of TeamViewer application. 

These kinds of URI schemes are often used to quickly launch some applications. 


microsoft teamviewer vulnerability image 1


On the exploitation of the application, Cybercriminals will use the malicious code as an attribute to the URI scheme, which would allow the app to connect to the Cybercriminal’s remote SMB Share. According to Hoffman, Windows will perform an NTLM Authentication when opening SMB Share, and the request will be relayed using a tool for the execution of codes.

Because the exploited application is the one that initiated the connection, it will no longer require passwords, which means that it will result in a leak system’s username and NTLMv2 version of the passwords and other future exploitations. This vulnerability affects the URI handlers teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1.

TeamViewer was able to patch the vulnerability, which is fortunately not exploited in the wild as of now.  The reported vulnerability reportedly affects TeamViewer with versions 8 to 15 (up to 15.8.2) on the Windows platform. So, users are advised to immediately upgrade to the latest version, 15.8.3, to prevent being a victim of this vulnerability.

About the author

Leave a Reply