Two AnyDesk Zero-Day Flaws Let Local Attackers Cause Denial of Service


Security researchers have disclosed two unpatched AnyDesk vulnerabilities that allow local attackers to trigger denial-of-service conditions. The flaws affect the software’s support information and screen recording features.

The first vulnerability, CVE-2026-15682, carries a CVSS score of 4.7. According to the Zero Day Initiative advisory, an attacker must already have the ability to run low-privilege code on the targeted system.

This requirement means an attacker cannot exploit the vulnerability directly over the internet. However, it could help someone who already has limited access disrupt AnyDesk or the affected system.

CVE-2026-15682 exists within AnyDesk’s Send Support Information feature. The feature collects diagnostic information that users can provide to support teams when investigating technical problems.

A second vulnerability, CVE-2026-15681, affects the application’s handling of screen recording files. The separate ZDI advisory also assigns this flaw a CVSS score of 4.7.

Both vulnerabilities involve link-following weaknesses. A local attacker can create a filesystem junction that redirects a privileged file operation to a location chosen by the attacker.

VulnerabilityAffected featureRequired accessImpactCVSS score
CVE-2026-15682Send Support InformationLocal low-privilege code executionDenial of service4.7
CVE-2026-15681Screen recording file handlingLocal low-privilege code executionDenial of service4.7

How the AnyDesk Junction Attack Works

A junction is a filesystem redirection mechanism. It can make one directory point to another location, causing an application to access a different path from the one it expects.

In these attacks, a low-privilege user prepares a junction before asking an AnyDesk service to perform a file operation. Because the service does not safely handle the redirected path, the attacker can make it create files in unintended locations.

ZDI says this arbitrary file creation can cause a denial-of-service condition. The advisories do not claim that either vulnerability allows remote code execution, data theft or privilege escalation.

  • The attacker needs access to the local system.
  • The attacker must be able to execute low-privilege code.
  • No additional user interaction is required.
  • The attack has high complexity under the CVSS assessment.
  • The identified impact affects availability rather than confidentiality or integrity.

Why the Vulnerabilities Are Classified as Zero-Days

ZDI reported CVE-2026-15682 to AnyDesk in March 2025. Its disclosure timeline shows several follow-up attempts before the organization announced plans to publish the vulnerability as a zero-day.

According to ZDI, AnyDesk’s support team escalated the report to its security team in September 2025. In December, the support team reportedly told ZDI that the issue fell outside its scope. ZDI published the advisory on July 8, 2026, and updated it on July 13.

The screen recording flaw followed a similar disclosure process. ZDI initially reported it in March 2025 and published the CVE-2026-15681 advisory on July 13, 2026.

ZDI labels both vulnerabilities as zero-days because they became public without a confirmed vendor fix. This label does not by itself mean attackers have exploited the flaws in real-world incidents. Neither advisory reports active exploitation.

Affected AnyDesk Versions Remain Unclear

The advisories list AnyDesk as the affected product but do not provide specific version numbers. As a result, administrators cannot determine from the public information whether particular releases avoid the vulnerable behavior.

No vendor security notice or patch reference appears in either ZDI advisory. Installing the latest available version remains sensible security practice, but organizations should not assume that updating alone fixes these specific vulnerabilities unless AnyDesk confirms it.

The lack of version details makes risk assessment more difficult for companies that deploy AnyDesk across employee computers, support terminals or managed customer devices.

How Organizations Can Reduce Their Exposure

ZDI says the main mitigation involves restricting interaction with the product. Organizations should first identify systems running AnyDesk and determine whether local users or untrusted processes can interact with the installation.

IT teams should limit local code execution, apply least-privilege controls and prevent unauthorized users from installing or launching software. Application control policies can also reduce the chance that an attacker uses an existing low-privilege foothold to exploit the flaws.

Security teams can monitor for unusual filesystem junction creation and unexpected files appearing in protected locations. These events do not automatically confirm exploitation, but they can provide useful indicators during an investigation.

  • Inventory all endpoints running AnyDesk.
  • Restrict local access to shared and support systems.
  • Use application allowlisting where practical.
  • Monitor unusual junction and reparse point activity.
  • Review unexpected file creation by AnyDesk services.
  • Watch for official AnyDesk updates and security notices.
  • Consider restricting or removing AnyDesk from high-risk systems until a fix receives confirmation.

Risk Is Lower Than a Remote AnyDesk Exploit

The two flaws present a lower immediate risk than vulnerabilities that attackers can exploit remotely without authentication. Their CVSS scores reflect the need for local access, low privileges and a relatively complex attack sequence.

However, denial-of-service vulnerabilities can still disrupt help desks, managed service providers and organizations that rely on AnyDesk for unattended remote support. An attacker who has already compromised a low-privilege account could use the flaws to interfere with recovery or support operations.

Administrators should treat the vulnerabilities as part of a wider defense-in-depth problem. Preventing unauthorized local code execution remains the most important control while organizations wait for clear version and patch information.

FAQ

What is CVE-2026-15682?

CVE-2026-15682 is a local denial-of-service vulnerability in AnyDesk’s Send Support Information feature. It allows a low-privilege attacker to abuse a filesystem junction and make the service create files in unintended locations.

Can attackers exploit the AnyDesk flaws remotely?

Not directly. Both vulnerabilities require the attacker to execute low-privilege code on the targeted system before attempting exploitation.

What is CVE-2026-15681?

CVE-2026-15681 is a related AnyDesk denial-of-service vulnerability involving the handling of screen recording files. It also relies on filesystem junction manipulation.

Which AnyDesk versions are affected?

The public ZDI advisories do not identify specific affected or fixed AnyDesk versions. Administrators should monitor AnyDesk’s official communications for confirmed version information.

Has AnyDesk released a patch for these vulnerabilities?

The ZDI advisories do not reference a vendor patch. Organizations should not assume the flaws have been fixed until AnyDesk publishes confirmation or ZDI updates its advisories.

Are attackers actively exploiting the AnyDesk zero-days?

The public advisories do not report active exploitation. ZDI uses the zero-day label because the vulnerabilities became public without a confirmed fix.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages