Anydesk
CVE-2022-32450
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there.
AnalysisAI
AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-59. AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own %APPDATA% folder (used for ad.trace and chat) but the product runs as SYSTEM when writing chat-room data there. Affected products include: Anydesk.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execut
AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYS
Anydesk versions up to 5.4.0 contains a vulnerability that allows attackers to potentially inject malicious executables
AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerabilit
AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Cha
AnyDesk for macOS versions 6.0.2 and older have a vulnerability in the XPC interface that does not properly validate cli
AnyDesk before "12.06.2018 - 4.1.3" on Windows 7 SP1 has a DLL preloading vulnerability. Rated high severity (CVSS 7.8),
AnyDesk 7.0.8 allows remote Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitabl
Denial-of-service in AnyDesk allows a local attacker with low-privileged code execution to crash or destabilize the appl
AnyDesk's 'Send Support Information' feature is exploitable by local low-privileged attackers via a Windows junction (di
AnyDesk Link Following Information Disclosure Vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is low
An issue was discovered in AnyDesk through 9.0.4. Rated high severity (CVSS 8.2), this vulnerability is remotely exploit
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today