Login Sign Up

CVE-2020-13160

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes a format string vulnerability in AnyDesk on Linux and FreeBSD systems that allows remote attackers to execute arbitrary code. The vulnerability affects AnyDesk versions before 5.5.3 and can be exploited without authentication. Organizations using vulnerable AnyDesk installations on Linux or FreeBSD are at risk of complete system compromise.

💻 Affected Systems

Products:
  • AnyDesk
Versions: Versions before 5.5.3
Operating Systems: Linux, FreeBSD
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Linux and FreeBSD versions. Windows and macOS versions are not vulnerable.

📦 What is this software?

Anydesk by Anydesk

View all CVEs affecting Anydesk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of the system, installs persistent malware, pivots to other systems, and exfiltrates sensitive data.

🟠

Likely Case

Attacker executes arbitrary code with the privileges of the AnyDesk process, potentially gaining initial foothold for further network exploitation.

🟢

If Mitigated

If proper network segmentation and least privilege are implemented, impact is limited to the isolated AnyDesk host with minimal lateral movement risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit proofs exist, and the vulnerability can be exploited remotely without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.3 and later

Vendor Advisory: https://download.anydesk.com/changelog.txt

Restart Required: Yes

Instructions:

1. Download AnyDesk 5.5.3 or later from official website. 2. Stop AnyDesk service. 3. Install the new version. 4. Restart AnyDesk service.

🔧 Temporary Workarounds

Disable AnyDesk Service

linux

Temporarily disable AnyDesk to prevent exploitation while planning upgrade

sudo systemctl stop anydesk
sudo systemctl disable anydesk

Network Isolation

linux

Block AnyDesk ports at firewall to prevent remote access

sudo iptables -A INPUT -p tcp --dport 7070 -j DROP
sudo iptables -A INPUT -p udp --dport 7070 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit AnyDesk traffic to trusted IPs only
  • Run AnyDesk with minimal privileges using a dedicated low-privilege user account

🔍 How to Verify

Check if Vulnerable:

Check AnyDesk version: anydesk --version and compare to 5.5.3

Check Version:

anydesk --version

Verify Fix Applied:

Verify version is 5.5.3 or higher: anydesk --version | grep -q '5.5.3\|^[6-9]\|^5\.[6-9]\|^5\.5\.[4-9]' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

  • Unusual AnyDesk process activity
  • Suspicious network connections to AnyDesk port 7070
  • Format string error messages in system logs

Network Indicators:

  • Unusual traffic patterns to AnyDesk default port 7070
  • Connection attempts from unexpected IP addresses

SIEM Query:

source="anydesk.log" AND ("format string" OR "segmentation fault" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2020-13160
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-134
Published: June 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13160, you might also want to check these:

CVE-2021-41193 9.8

CVE-2021-41193 is a remote format string vulnerability in wire-avs, the audio visual signaling compo...

Same vulnerability type (CWE-134)
CVE-2021-42911 9.8

This is a critical format string vulnerability in DrayTek router firmware that allows remote attacke...

Same vulnerability type (CWE-134)
CVE-2023-5746 9.8

A format string vulnerability in Synology camera firmware allows remote attackers to execute arbitra...

Same vulnerability type (CWE-134)