Information disclosure in TeamViewer
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-14333 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
TeamViewer Remote Full Client for Windows Client/Desktop applications / Software for system administration |
| Vendor | TeamViewer |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU14011
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-14333
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to storing of a password in Unicode format within TeamViewer.exe process memory between "[00 88] and "[00 00 00]" delimiters. A remote attacker can leverage an unattended workstation on which TeamViewer has disconnected but remains running and access arbitrary data.
MitigationInstall update from vendor's website.
Vulnerable software versionsTeamViewer Remote Full Client for Windows: All versions
CPE2.3 External linkshttps://github.com/vah13/extractTVpasswords
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
