^{CVE-2019-18988:}TeamViewer Desktop up to 14.7.1965 contains a vulnerability that allows bypassing remote-login access control due to a shared AES key across installations, enabling potential decryption of stored credentials and unauthorized remote access.

TeamViewer Desktop versions through 14.7.1965 use a shared AES key for multiple installations and store sensitive data (such as OptionsPasswordAES) with that key. If an attacker obtains this key, they could decrypt protected information stored in the registry or configuration files. In versions before v9.x, this could permit decrypting the Unattended Access password, enabling remote login to the system and headless file browsing. The latest releases reportedly still rely on the same key for OptionPasswordAES, though the storage method for the Unattended Access password appears to have changed. While exploitation often requires an existing session on a target, if registry or configuration keys are stored off the machine (e.g., on file shares or online), an attacker could decrypt the needed password to log in.

Overview

This CVE describes a local vulnerability in TeamViewer Desktop that arises from using a single shared AES key across installations to protect sensitive credentials. The risk is that an attacker who acquires the key can decrypt credentials stored on the host (registry or config files) and potentially bypass remote-login controls. The issue historically allowed decrypting the Unattended Access password in older versions, enabling remote access and file browsing; although newer storage methods may mitigate some exposure, the shared-key problem persists for certain credentials (OptionsPasswordAES). The CVSS context indicates a base score of 7.0 (HIGH) with local attack vector, high impact to confidentiality, integrity, and availability, low privileges required, and no user interaction. In practice, exploitation is more likely when credentials are stored off-device, such as on network shares or in online storage.

Remediation

• Apply the latest TeamViewer release and follow the vendor’s security advisories for CVE-2019-18988. Ensure all affected endpoints are updated to a version that addresses the issue.
• If immediate patching isn’t possible, disable Unattended Access or require interactive authentication for remote login to minimize credential exposure.
• Audit and secure credential storage: ensure registry/config data containing passwords is not stored on network shares or insecure locations; move credentials to a secure, access-controlled vault or disable storing sensitive passwords locally if feasible.
• Enforce stronger authentication: enable two-factor authentication for TeamViewer accounts and require strong, regularly rotated passwords.
• Restrict remote access exposure: limit remote-login capabilities to trusted networks and monitor access logs for suspicious activity; disable remote login when not needed.
• Perform asset discovery and inventory to identify endpoints still on vulnerable versions and prioritize upgrades.
• Establish a policy to manage per-installation credentials (if available) rather than shared keys, and review any vendor guidance on mitigating OptionsPasswordAES exposure.

References

• https://community.teamviewer.com/t5/Knowledge-Base/tkb-p/Knowledgebase?threadtype=label&labels=Security
• https://whynotsecurity.com/blog/teamviewer/
• https://twitter.com/Blurbdust/status/1224212682594770946?s=20
• https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264