CVE-2025-34499
📋 TL;DR
This CVE describes an unquoted service path vulnerability in AnyDesk that allows local non-privileged users to escalate privileges to SYSTEM level. Attackers can place malicious executables in paths that get executed with elevated permissions when the service starts. This affects AnyDesk installations on Windows systems where local access is possible.
💻 Affected Systems
- AnyDesk
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Local user or malware with initial foothold escalates to SYSTEM to install additional payloads, disable security controls, or access protected resources.
If Mitigated
With proper endpoint security controls and least privilege principles, exploitation attempts are detected and blocked, limiting impact to isolated incidents.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (IDs 51968, 52258). Exploitation requires local access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check AnyDesk vendor updates for patched versions beyond 7.0.15 and 9.0.1
Vendor Advisory: http://anydesk.com (check security/advisory sections)
Restart Required: Yes
Instructions:
1. Download latest AnyDesk version from official site. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure service updates take effect.
🔧 Temporary Workarounds
Manually quote service path
windowsModify the AnyDesk service configuration to use quoted paths in Windows Registry
sc config "AnyDesk" binPath= "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\""
Restart the AnyDesk service after making changes
Restrict write permissions
windowsSet strict ACLs on directories in the service path to prevent unauthorized file creation
icacls "C:\Program Files (x86)\AnyDesk" /deny Users:(OI)(CI)W
icacls "C:\Program Files" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove AnyDesk from critical systems until patched
- Implement application whitelisting to block unauthorized executables in service path directories
🔍 How to Verify
Check if Vulnerable:
Check service configuration: sc qc AnyDesk | findstr BINARY_PATH_NAME - if path contains spaces and is unquoted, system is vulnerableCheck Version:
AnyDesk.exe --version or check in Help > About within the applicationVerify Fix Applied:
Verify service path is quoted: sc qc AnyDesk should show quoted path like "\"C:\Program Files...\""📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Service Control Manager events (7045) showing service path modifications
- Security logs: Unauthorized file creation in system directories
- Process creation events for unexpected executables from AnyDesk directories
Network Indicators:
- Unusual outbound connections from SYSTEM context following local user activity
- AnyDesk service restarting unexpectedly
SIEM Query:
EventID=7045 AND (Service_Name="AnyDesk" OR ImagePath="*AnyDesk*") | Process creation from paths containing spaces without quotes in system directories