Skip to main content

Anydesk CVE-2024-12754

MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2024-12-30 zdi-disclosures@trendmicro.com
5.5
CVSS 3.0 · Vendor: trendmicro
Share

Severity by source

Vendor (trendmicro) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (trendmicro) · only source for this CVE.

CVSS VectorVendor: trendmicro

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 30, 2024 - 17:15 cve.org
MEDIUM 5.5

DescriptionCVE.org

AnyDesk Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the handling of background images. By creating a junction, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-23940.

AnalysisAI

AnyDesk Link Following Information Disclosure Vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-59. AnyDesk Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of background images. By creating a junction, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-23940. Affected products include: Anydesk.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-13160 CRITICAL POC
9.8 Jun 09

AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execut

CVE-2016-20094 HIGH POC
8.5 Jun 19

AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYS

CVE-2019-25261 HIGH POC
7.8 Feb 03

Anydesk versions up to 5.4.0 contains a vulnerability that allows attackers to potentially inject malicious executables

CVE-2022-32450 HIGH POC
7.1 Jul 18

AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own

CVE-2017-14397 CRITICAL
9.8 Sep 12

AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2021-40854 HIGH
7.8 Oct 14

AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Cha

CVE-2020-27614 HIGH
7.8 Dec 09

AnyDesk for macOS versions 6.0.2 and older have a vulnerability in the XPC interface that does not properly validate cli

CVE-2018-13102 HIGH
7.8 Jul 03

AnyDesk before "12.06.2018 - 4.1.3" on Windows 7 SP1 has a DLL preloading vulnerability. Rated high severity (CVSS 7.8),

CVE-2023-26509 HIGH
7.5 Jul 03

AnyDesk 7.0.8 allows remote Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitabl

CVE-2026-15681 MEDIUM
5.5 Jul 13

Denial-of-service in AnyDesk allows a local attacker with low-privileged code execution to crash or destabilize the appl

CVE-2026-15682 MEDIUM
5.5 Jul 13

AnyDesk's 'Send Support Information' feature is exploitable by local low-privileged attackers via a Windows junction (di

CVE-2025-27919 HIGH POC
8.2 Nov 06

An issue was discovered in AnyDesk through 9.0.4. Rated high severity (CVSS 8.2), this vulnerability is remotely exploit

Share

CVE-2024-12754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy