AnyDesk 2.5.0 Unquoted Service Path Elevation of Privilege
Description
AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Attackers can insert malicious executables in the system root path that execute with elevated privileges during application startup or system reboot.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The AnyDesk 2.5.0 service binary path is unquoted, causing Windows to interpret space-separated components as separate executable candidates and enabling privilege escalation from a writable directory."
Attack vector
The AnyDesk 2.5.0 service is installed with an unquoted binary path (`C:\Program Files\AnyDesk\AnyDesk.exe`), and the service runs with SYSTEM privileges [ref_id=1]. A local, non-privileged user who can write to a parent directory in the unquoted path (for example, `C:\Program.exe` or `C:\Program Files\AnyDesk.exe`) can place a malicious executable there. When the service starts (automatically at boot or manually), Windows' CreateProcess resolves the unquoted path by first checking the space-split tokens, causing the attacker's planted executable to be launched with SYSTEM privileges instead of the intended AnyDesk binary [ref_id=1].
What the fix does
The vendor must enclose the service binary path in quotation marks (`"C:\Program Files\AnyDesk\AnyDesk.exe"`) so that Windows interprets the entire string as a single path and does not attempt to resolve space-delimited tokens as separate executables. The advisory does not include a specific patch diff, but the standard remediation for CWE-428 (Unquoted Search Path or Element) is to quote the service binary path in the registry or service configuration [ref_id=1]. Without this change, any directory in the unquoted path that an unprivileged user can write to becomes an elevation-of-privilege vector.
Preconditions
- configThe service binary path must be unquoted (confirmed by `sc qc anydesk` shown in the write-up)
- inputThe attacker must be a local, non-privileged user who can write to a directory along the unquoted path (e.g., `C:\` or `C:\Program Files\`)
- networkThe service must be restarted or the system rebooted for the planted executable to be launched
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/40410mitreexploit
- www.vulncheck.com/advisories/anydesk-unquoted-service-path-elevation-of-privilegemitrethird-party-advisory
- anydesk.commitreproduct
- anydesk.com/downloadmitreproduct
News mentions
0No linked articles in our index yet.