Skip to content
ProtocolPorts

Port reference

Port 5938 (TCP) – TeamViewer

TeamViewer remote-support and remote-control protocol, used for attended and unattended access.

tcpRegisteredCommonly attacked

Default state

Used as an outbound connection by the TeamViewer client to its relay servers. The port is rarely listened on locally but enables remote control once the client runs.

Common attacks

  • Account takeover via credential stuffing and reused passwords
  • Abuse of unattended-access passwords for persistent remote control
  • Social-engineering victims into installing or sharing TeamViewer IDs
  • Pivoting from a compromised TeamViewer account to managed endpoints

Hardening

  • Enable two-factor authentication on every TeamViewer account
  • Use strong, unique passwords and allowlist trusted devices
  • Disable unattended access where it is not strictly required
  • Restrict which accounts may connect and review the connection log
  • Keep the client updated and uninstall it where unused

nmap snippet

nmap -p5938 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5938?

Port 5938 is the primary channel for TeamViewer, a popular remote-support and remote-control product. The client makes an outbound TCP connection to TeamViewer's relay infrastructure on 5938 (falling back to 443 or 80), which then brokers attended help-desk sessions and unattended access to registered devices. The port is rarely opened for inbound listening; control flows through the relay.

Why it matters for security

Because TeamViewer ties remote control to an online account, that account is the prize. Waves of credential-stuffing attacks have produced account takeovers where intruders logged in with reused passwords and then drove the victim's mouse and keyboard directly. Unattended-access passwords and always-on installs turn a single compromised account into persistent control of every linked endpoint.

How it's attacked

Attackers replay credentials leaked from unrelated breaches against TeamViewer logins, succeeding wherever passwords are reused and 2FA is off. They also social-engineer users into installing TeamViewer or sharing their ID and password. Once in, the account's device list becomes a map for pivoting across an organization's machines.

Hardening checklist

Turn on two-factor authentication for every TeamViewer account and use strong, unique passwords. Allowlist trusted devices and restrict which accounts may connect. Disable unattended access where it is not required, review the connection log for unknown sessions, keep the client patched, and uninstall it on machines that no longer need it.

Related ports

Port 3389Port 5900Port 6568Port 443

Frequently asked questions

Why does TeamViewer use port 5938?
TeamViewer prefers an outbound TCP connection to its relay servers on 5938 for the best performance, falling back to 443 or 80 if 5938 is blocked. It rarely needs an inbound open port.
How are TeamViewer accounts compromised?
The main vector is credential stuffing — attackers reuse passwords leaked elsewhere to log into accounts, then control any device linked to that account. Two-factor authentication blocks this.