cbcvebase.
CVE-2019-18988
published 2020-02-07

CVE-2019-18988: TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It…

PriorityP279high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
4.75%
90.7th percentile
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.

Affected

1 ranges
VendorProductVersion rangeFixed in
teamviewerteamviewer<= 14.7.1965

Detection & IOCsextracted from sources · hover to see the quote

registryOptionsPasswordAES
registryOptionPasswordAES
  • Hunt for TeamViewer registry keys containing AES-encrypted password values (OptionsPasswordAES / OptionPasswordAES). Presence of these keys combined with known shared AES key decryption attempts indicates exploitation of CVE-2019-18988.
  • Monitor for post-exploitation tooling (e.g., Metasploit module post/windows/gather/credentials/teamviewer_passwords) executing on Windows hosts, which specifically targets TeamViewer stored credentials.
  • Alert on access to TeamViewer registry hives or configuration files from non-TeamViewer processes, especially when followed by outbound connections — may indicate credential harvesting for remote login bypass.
  • For pre-v9 TeamViewer installations, prioritize detection: the shared AES key directly exposes the Unattended Access password, enabling full remote login and headless file browsing without user interaction.
  • ·The same hardcoded AES key has been present across all TeamViewer installations since at least v7.0.43148, meaning any installation in that range shares the same decryption key — scope of exposure is very broad.
  • ·TeamViewer Desktop through 14.7.1965 is confirmed vulnerable; versions before v9.x are at highest risk as the Unattended Access password is directly decryptable with the shared key.
  • ·Exploitation does not strictly require an active session if TeamViewer registry/config files are accessible remotely (e.g., stored on a file share), significantly lowering the bar for unauthenticated attackers.

CVSS provenance

nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
vulncheck7.0HIGH
cisa7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.