cbcvebase.
CVE-2020-13699
published 2020-07-29

CVE-2020-13699: TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary…

PriorityP272high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
25.90%
97.7th percentile
TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.

Affected

1 ranges
VendorProductVersion rangeFixed in
teamviewerteamviewer< 15.8.315.8.3

Detection & IOCsextracted from sources · hover to see the quote

commandteamviewer10: --play URL
otherteamviewer10
otherteamviewer8
otherteamviewerapi
othertvchat1
othertvcontrol1
othertvfiletransfer1
othertvjoinv8
othertvpresent1
othertvsendfile1
othertvsqcustomer1
othertvsqsupport1
othertvvideocall1
othertvvpn1
filename.tvs
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)"; flow:established,to_client; http.response_body; content:"<iframe|20|"; content:"|20|src="; distance:0; pcre:"/^[\x22\x27]t(?:eamviewer(\d+|api)|v(c(hat|ontrol)|filetransfer|joinv|present|s(endfile|q(customer|support))|v(ideocall|pn))\d)/R"; content:"|3a 20|--play"; distance:0; fast_pattern; content:".tvs"; distance:0; reference:url,www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/; classtype:attempted-admin; sid:2030668; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_10, cve CVE_2020_13699, deployment Perimeter, confidence High, signature_severity Major, tag Teamviewer, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07;)
  • Only Firefox can be exploited by this vulnerability, as all other browsers encode the space after 'play' and before the SMB location, preventing successful exploitation. Target detection/hunting to Firefox user-agent sessions invoking TeamViewer URI handlers.
  • Detect HTTP responses containing an iframe with a TeamViewer custom URI scheme (teamviewer10, teamviewerapi, tvchat1, tvcontrol1, etc.) followed by '--play' and a '.tvs' file reference — the canonical exploit delivery pattern.
  • The attack forces an outbound SMB connection from the victim to an attacker-controlled IP to capture or relay NTLM authentication hashes. Monitor for unexpected outbound SMB (port 445/139) connections triggered from browser processes.
  • The Metasploit module 'auxiliary/server/teamviewer_uri_smb_redirect' implements this attack; presence of this module's traffic pattern or its use in logs is a strong indicator of active exploitation.
  • ·Exploitation requires the victim to be using Firefox; other browsers URL-encode the space in the URI, breaking the attack chain.
  • ·The Snort/ET rule (sid:2030668) inspects HTTP response bodies for the iframe+URI+--play+.tvs pattern; it will not fire on HTTPS traffic unless TLS inspection is in place.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.