CVE-2025-27916 – This vulnerability allows attackers to spoof An... (How to Fix)

Q: What is the severity of CVE-2025-27916?

CVE-2025-27916 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to spoof AnyDesk IDs when connections are established via IP addresses, enabling impersonation of legitimate remote access sessions. It affects AnyDesk for Windows versions before 9.0.6 and AnyDesk for Android versions before 8.0.0. Users who connect via IP addresses instead of AnyDesk IDs are vulnerable.

📋 TL;DR

This vulnerability allows attackers to spoof AnyDesk IDs when connections are established via IP addresses, enabling impersonation of legitimate remote access sessions. It affects AnyDesk for Windows versions before 9.0.6 and AnyDesk for Android versions before 8.0.0. Users who connect via IP addresses instead of AnyDesk IDs are vulnerable.

💻 Affected Systems

Products:

AnyDesk for Windows
AnyDesk for Android

Versions: Windows: before 9.0.6, Android: before 8.0.0

Operating Systems: Windows, Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects connections established via IP addresses, not connections using AnyDesk IDs.

📦 What is this software?

Anydesk by Anydesk

View all CVEs affecting Anydesk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept and manipulate remote desktop sessions, gaining unauthorized access to systems, stealing credentials, or deploying malware while appearing as legitimate connections.

🟠

Likely Case

Session hijacking where attackers impersonate legitimate users to access remote systems, potentially leading to data theft or unauthorized control.

🟢

If Mitigated

Limited impact if connections use AnyDesk IDs exclusively and proper authentication controls are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires network position to intercept and manipulate traffic between AnyDesk clients.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Windows: 9.0.6, Android: 8.0.0

Vendor Advisory: https://anydesk.com/en/changelog/windows

Restart Required: Yes

Instructions:

1. Download latest version from official AnyDesk website. 2. Install update. 3. Restart AnyDesk service or system.

🔧 Temporary Workarounds

Disable IP-based connections

all

Configure AnyDesk to only accept connections using AnyDesk IDs instead of IP addresses.

Network segmentation

all

Isolate AnyDesk traffic to trusted networks only.

🧯 If You Can't Patch

Use VPN for all remote connections to encrypt traffic and prevent spoofing.
Implement strict access controls and monitor for unusual AnyDesk connection patterns.

🔍 How to Verify

Check if Vulnerable:

Check AnyDesk version: Windows - Help > About, Android - Settings > About. If version is below Windows 9.0.6 or Android 8.0.0, system is vulnerable.

Check Version:

Windows: anydesk.exe --version, Android: Check in app settings

Verify Fix Applied:

Confirm version is Windows 9.0.6 or higher, or Android 8.0.0 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual connection patterns
Multiple failed authentication attempts from same IP
Connections from unexpected IP addresses

Network Indicators:

Unencrypted AnyDesk traffic on untrusted networks
Suspicious man-in-the-middle activity on AnyDesk ports (TCP 7070)

SIEM Query:

source="anydesk.log" AND (event="connection_failed" OR event="authentication_failure")

📊 Metadata

CVE ID: CVE-2025-27916

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-290

EPSS Score: 0.05% exploit probability (16.6th percentile)

Published: November 6, 2025

Last Updated: December 8, 2025

🔗 References

https://anydesk.com/en/changelog/windows Release Notes
https://dspace.cvut.cz/bitstream/handle/10467/122721/F8-DP-2025-Krejsa-Vojtech-DP_Krejsa_Vojtech_2025.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27916, you might also want to check these: