CVE-2025-27918 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-27918?

CVE-2025-27918 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on AnyDesk clients by sending specially crafted UDP packets. The integer overflow leads to heap-based buffer overflow during identity image processing or connection establishment. All AnyDesk users on affected versions are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on AnyDesk clients by sending specially crafted UDP packets. The integer overflow leads to heap-based buffer overflow during identity image processing or connection establishment. All AnyDesk users on affected versions are at risk.

💻 Affected Systems

Products:

AnyDesk for Windows
AnyDesk for macOS
AnyDesk for Linux
AnyDesk for iOS
AnyDesk for Android

Versions: Windows: before 9.0.5, macOS: before 9.0.1, Linux: before 7.0.0, iOS: before 7.1.2, Android: before 8.0.0

Operating Systems: Windows, macOS, Linux, iOS, Android

Default Config Vulnerable: ⚠️ Yes

Notes: Discovery feature must be enabled (default) or clients must be establishing connections.

📦 What is this software?

Anydesk by Anydesk

View all CVEs affecting Anydesk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, lateral movement, and data exfiltration.

🟠

Likely Case

Remote code execution with user privileges, enabling malware installation, credential theft, and persistence establishment.

🟢

If Mitigated

Denial of service or application crash if exploit fails or controls block execution.

🌐 Internet-Facing: HIGH - UDP packets can be sent from anywhere on the internet to exposed AnyDesk instances.

🏢 Internal Only: HIGH - Internal attackers can exploit this via local network to compromise systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

UDP-based exploitation requires no authentication. Technical details are documented in academic paper.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Windows: 9.0.5+, macOS: 9.0.1+, Linux: 7.0.0+, iOS: 7.1.2+, Android: 8.0.0+

Vendor Advisory: https://anydesk.com/en/changelog/windows

Restart Required: Yes

Instructions:

1. Open AnyDesk. 2. Go to Settings > About. 3. Click 'Check for updates'. 4. Install available update. 5. Restart AnyDesk service/application.

🔧 Temporary Workarounds

Disable Discovery Feature

all

Prevents UDP packet processing for identity images by disabling discovery.

Settings > Security > Uncheck 'Enable Discovery'

Block AnyDesk UDP Ports

all

Block UDP traffic to AnyDesk default ports (7070-7080) at firewall.

Windows: netsh advfirewall firewall add rule name="Block AnyDesk UDP" dir=in action=block protocol=UDP localport=7070-7080
Linux: sudo iptables -A INPUT -p udp --dport 7070:7080 -j DROP

🧯 If You Can't Patch

Uninstall AnyDesk completely from affected systems.
Implement strict network segmentation to isolate AnyDesk traffic.

🔍 How to Verify

Check if Vulnerable:

Check AnyDesk version in Settings > About and compare with patched versions.

Check Version:

Windows: anydesk.exe --version, Linux: anydesk --version, macOS: /Applications/AnyDesk.app/Contents/MacOS/AnyDesk --version

Verify Fix Applied:

Confirm version is at or above patched versions: Windows 9.0.5+, macOS 9.0.1+, Linux 7.0.0+, iOS 7.1.2+, Android 8.0.0+.

📡 Detection & Monitoring

Log Indicators:

AnyDesk crash logs
Unexpected process termination
Memory access violation errors

Network Indicators:

UDP packets to port 7070-7080 with malformed identity data
Unusual outbound connections post-exploit

SIEM Query:

source="AnyDesk" AND (event_type="crash" OR message="*overflow*" OR message="*access violation*")

📊 Metadata

CVE ID: CVE-2025-27918

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

EPSS Score: 0.08% exploit probability (24th percentile)

Published: November 6, 2025

Last Updated: December 8, 2025

🔗 References

https://anydesk.com/en/changelog/windows Release Notes
https://dspace.cvut.cz/bitstream/handle/10467/122721/F8-DP-2025-Krejsa-Vojtech-DP_Krejsa_Vojtech_2025.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27918, you might also want to check these: