Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

TeamViewer

Severity: High

Likelihood: Medium - High (Commonly installed, often misconfigured, and frequently targeted by attackers)

General Guidance

Restrict, monitor, and harden all remote access tools like TeamViewer. Enforce strong authentication and ensure usage is limited to approved, controlled scenarios only.

What is the concern?

TeamViewer is a legitimate remote administration tool, but if improperly configured, weakly secured, or unauthorized, it can provide attackers with full remote control of systems. Threat actors actively scan for exposed or compromised TeamViewer instances and use stolen credentials to gain persistent access.

Business Impact

  • Unauthorized remote access to endpoints and servers

  • Data exfiltration (sensitive files, credentials, intellectual property)

  • Deployment of ransomware or other malware

  • Circumvention of network perimeter defenses

  • Loss of customer trust and regulatory exposure

How can this risk be resolved?

  • Enforce Multi-Factor Authentication (MFA) on all TeamViewer accounts

  • Restrict access via allowlists (trusted devices/IPs)

  • Disable unattended access unless explicitly required

  • Remove unauthorized or unused TeamViewer installations

  • Integrate usage into centralized logging and SIEM monitoring

  • Keep TeamViewer clients updated to the latest version

  • Use endpoint detection & response (EDR) to monitor remote sessions

TeamViewer services should instead be hidden behind a firewall and/or VPN, or similar action taken, to prevent any unwanted access or intrusion which could later be used to access the internal network via any connecting devices or accidental connection onto the core network. If placing these services behind a firewall/VPN, only a narrow set of allow-listed services should be permitted to connect. If you do this, KYND will mark the issue as resolved.

If this isn’t possible, you should take alternative steps to mitigate the issue.

This could include adding extra layers of authentication, including MFA or PKI certificates to ensure that only authenticated users and services are able to connect.

If none of these are possible, then these services should be entirely separated from the rest of your organization's infrastructure, ensuring that there is no way an attacker could traverse from an attack on this service to gain access to sensitive data, services, networks or infrastructure.

Real-World Example

  • 2016 TeamViewer Account Compromise Wave: Thousands of users reported unauthorized access to their systems. Attackers leveraged credential stuffing (reused passwords from other breaches) to log into TeamViewer accounts, leading to financial theft and system compromise.

  • In multiple ransomware cases (including variants of Conti and Ryuk campaigns), attackers have used legitimate remote access tools like TeamViewer post-compromise to maintain persistence and move laterally, blending in with normal administrative activity.

Detection Opportunities

  • Logins from unusual geographic locations or IP addresses

  • Connections occurring outside normal business hours

  • Repeated failed login attempts (possible credential stuffing)

  • New device associations or changes to trusted devices

  • Execution of TeamViewer processes on systems where it is not approved

  • Unexpected file transfers during remote sessions

  • Endpoint alerts indicating remote control activity