AnyDesk
CVE-2026-15681
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local attack vector with high complexity for junction timing; low privileges required; availability-only impact consistent with DoS description.
Primary rating from Vendor (zdi).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
AnyDesk Screen Recording Link Following Denial-of-Service Vulnerability. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of screen recording files. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-26591.
AnalysisAI
Denial-of-service in AnyDesk allows a local attacker with low-privileged code execution to crash or destabilize the application by abusing improper junction resolution during screen recording file operations. The AnyDesk service fails to validate symbolic link or NTFS junction targets before accessing screen recording files, enabling redirection of privileged file creation to arbitrary filesystem paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker has already achieved local code execution on the target system with at minimum low-privileged access (consistent with CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.0 base score of 4.7 (Medium) reflects a realistic threat profile: AV:L constrains exploitation to attackers already present on the target system, and AC:H signals that successful exploitation requires a non-trivial setup - likely a race condition or careful junction placement before the service accesses the recording path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged local access - for example, a standard domain user on a shared workstation running AnyDesk - pre-positions an NTFS junction at the directory path where AnyDesk writes screen recording files, redirecting it to a sensitive or critical system path. When the AnyDesk service subsequently initiates a screen recording operation, it follows the junction and attempts to create files at the attacker-controlled target, either causing the service to crash due to access violations or consuming resources at the redirected path in a way that degrades system availability. … |
| Remediation | No vendor-released patch version was identified in the available data; the upstream fix status should be confirmed by consulting the ZDI advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-400/ and the AnyDesk security advisories page directly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execut
AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYS
Anydesk versions up to 5.4.0 contains a vulnerability that allows attackers to potentially inject malicious executables
AnyDesk 7.0.9 allows a local user to gain SYSTEM privileges via a symbolic link because the user can write to their own
AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerabilit
AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obtain administrator privileges by using the Open Cha
AnyDesk for macOS versions 6.0.2 and older have a vulnerability in the XPC interface that does not properly validate cli
AnyDesk before "12.06.2018 - 4.1.3" on Windows 7 SP1 has a DLL preloading vulnerability. Rated high severity (CVSS 7.8),
AnyDesk 7.0.8 allows remote Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitabl
AnyDesk's 'Send Support Information' feature is exploitable by local low-privileged attackers via a Windows junction (di
AnyDesk Link Following Information Disclosure Vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is low
An issue was discovered in AnyDesk through 9.0.4. Rated high severity (CVSS 8.2), this vulnerability is remotely exploit
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allShare
External POC / Exploit Code
Leaving vuln.today