Description
AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Attackers can insert malicious executables in the system root path that execute with elevated privileges during application startup or system reboot.
Published: 2026-06-19
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows a local user to run arbitrary code with SYSTEM privileges. By placing malicious executables in the system root directory, a local attacker can have those files executed during AnyDesk startup or during a system reboot, effectively gaining full control of the affected machine.

Affected Systems

Anydesk AnyDesk version 2.5.0 is affected. No other versions are listed as vulnerable in the available data.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity issue. The vulnerability is exploitable by any local user who has write access to the system root directory, a condition that is common on systems with administrative accounts. No EPSS score is available, but the absence of a KEV listing does not reduce the seriousness of the local privilege escalation potential.

Generated by OpenCVE AI on June 19, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AnyDesk to the latest version that includes the fix for the unquoted service path
  • If upgrading is not possible, remove or rename any malicious executables in the system root path to prevent them from being executed during startup or reboot
  • Verify that the AnyDesk service path is properly quoted or delete the unquoted service registry entry
  • Restrict local user write and execute permissions on the system root directory to limit the ability to place malicious files there

Generated by OpenCVE AI on June 19, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Anydesk
Anydesk anydesk
Vendors & Products Anydesk
Anydesk anydesk

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Attackers can insert malicious executables in the system root path that execute with elevated privileges during application startup or system reboot.
Title AnyDesk 2.5.0 Unquoted Service Path Elevation of Privilege
Weaknesses CWE-428
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anydesk Anydesk
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T14:16:47.250Z

Reserved: 2026-06-19T13:25:53.817Z

Link: CVE-2016-20094

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:45:03Z

Weaknesses
  • CWE-428

    Unquoted Search Path or Element