VYPR
advisoryPublished Jul 8, 2026· 2 sources

Zero-Day Denial-of-Service Vulnerability Found in AnyDesk Support Feature

A critical denial-of-service vulnerability (ZDI-26-401) in AnyDesk allows local attackers with low-privileged code execution to crash affected installations.

The Zero Day Initiative (ZDI) has disclosed a critical denial-of-service (DoS) vulnerability, tracked as ZDI-26-401, affecting the popular remote desktop application AnyDesk. This flaw, which carries a CVSS score of 4.7, enables local attackers with existing low-privileged code execution capabilities to crash the AnyDesk service on a target system.

The vulnerability resides within the "Send Support Information" feature of AnyDesk. Attackers can exploit this by creating a symbolic link (junction) that abuses the service's file handling mechanisms. This abuse allows for the creation of arbitrary files, which can then be leveraged to trigger a denial-of-service condition, rendering the AnyDesk installation inoperable.

Exploitation requires an attacker to first gain a foothold on the target system with the ability to execute code, even with minimal privileges. Once this prerequisite is met, the attacker can proceed to craft the necessary conditions to trigger the DoS vulnerability through the manipulated "Send Support Information" feature.

The disclosure timeline reveals a protracted engagement between ZDI and the vendor. The vulnerability was initially reported on March 30, 2025. Despite several follow-ups and escalations, the vendor's security team did not provide a definitive response or confirmation of a fix until much later, with ZDI ultimately notifying the vendor of their intention to publish the advisory as a zero-day on June 26, 2026, due to a lack of progress.

Mitigation for this specific vulnerability is limited, primarily revolving around restricting interaction with the AnyDesk product itself. Users are advised to be cautious about any unexpected behavior or crashes related to the support information feature. The vendor's response indicates a lengthy process to address the issue, highlighting potential challenges in timely vulnerability remediation.

This advisory was coordinated for public release on July 8, 2026, with an update to the advisory also occurring on the same date. The vulnerability was discovered and reported by Giuliano Sanfins from SiDi (0x_alibabas).

The disclosure of ZDI-26-401 underscores the ongoing risks associated with remote access software and the importance of robust security practices, even for features designed for legitimate support purposes. The extended timeline for vendor response also points to potential challenges in the vulnerability management lifecycle for some software providers.

The Zero Day Initiative has disclosed a separate denial-of-service vulnerability in AnyDesk, designated ZDI-26-400, which differs from the previously reported ZDI-26-401. This new flaw, also requiring low-privileged code execution, allows local attackers to abuse a screen recording feature via file junctions to create arbitrary files, leading to a denial-of-service condition. The disclosure timeline indicates a lengthy vendor response period, with ZDI publishing the advisory as a 0-day after the vendor's support team initially deemed the issue out of scope.

Synthesized by Vypr AI