Two AnyDesk Zero-Day Flaws Let Local Attackers Cause Denial of Service
Security researchers have disclosed two unpatched AnyDesk vulnerabilities that allow local attackers to trigger denial-of-service conditions. The flaws affect the software’s support information and screen recording features.
The first vulnerability, CVE-2026-15682, carries a CVSS score of 4.7. According to the Zero Day Initiative advisory, an attacker must already have the ability to run low-privilege code on the targeted system.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This requirement means an attacker cannot exploit the vulnerability directly over the internet. However, it could help someone who already has limited access disrupt AnyDesk or the affected system.
Two AnyDesk Features Contain Related Flaws
CVE-2026-15682 exists within AnyDesk’s Send Support Information feature. The feature collects diagnostic information that users can provide to support teams when investigating technical problems.
A second vulnerability, CVE-2026-15681, affects the application’s handling of screen recording files. The separate ZDI advisory also assigns this flaw a CVSS score of 4.7.
Both vulnerabilities involve link-following weaknesses. A local attacker can create a filesystem junction that redirects a privileged file operation to a location chosen by the attacker.
| Vulnerability | Affected feature | Required access | Impact | CVSS score |
|---|---|---|---|---|
| CVE-2026-15682 | Send Support Information | Local low-privilege code execution | Denial of service | 4.7 |
| CVE-2026-15681 | Screen recording file handling | Local low-privilege code execution | Denial of service | 4.7 |
How the AnyDesk Junction Attack Works
A junction is a filesystem redirection mechanism. It can make one directory point to another location, causing an application to access a different path from the one it expects.
In these attacks, a low-privilege user prepares a junction before asking an AnyDesk service to perform a file operation. Because the service does not safely handle the redirected path, the attacker can make it create files in unintended locations.
ZDI says this arbitrary file creation can cause a denial-of-service condition. The advisories do not claim that either vulnerability allows remote code execution, data theft or privilege escalation.
- The attacker needs access to the local system.
- The attacker must be able to execute low-privilege code.
- No additional user interaction is required.
- The attack has high complexity under the CVSS assessment.
- The identified impact affects availability rather than confidentiality or integrity.
Why the Vulnerabilities Are Classified as Zero-Days
ZDI reported CVE-2026-15682 to AnyDesk in March 2025. Its disclosure timeline shows several follow-up attempts before the organization announced plans to publish the vulnerability as a zero-day.
According to ZDI, AnyDesk’s support team escalated the report to its security team in September 2025. In December, the support team reportedly told ZDI that the issue fell outside its scope. ZDI published the advisory on July 8, 2026, and updated it on July 13.
The screen recording flaw followed a similar disclosure process. ZDI initially reported it in March 2025 and published the CVE-2026-15681 advisory on July 13, 2026.
ZDI labels both vulnerabilities as zero-days because they became public without a confirmed vendor fix. This label does not by itself mean attackers have exploited the flaws in real-world incidents. Neither advisory reports active exploitation.
Affected AnyDesk Versions Remain Unclear
The advisories list AnyDesk as the affected product but do not provide specific version numbers. As a result, administrators cannot determine from the public information whether particular releases avoid the vulnerable behavior.
No vendor security notice or patch reference appears in either ZDI advisory. Installing the latest available version remains sensible security practice, but organizations should not assume that updating alone fixes these specific vulnerabilities unless AnyDesk confirms it.
The lack of version details makes risk assessment more difficult for companies that deploy AnyDesk across employee computers, support terminals or managed customer devices.
How Organizations Can Reduce Their Exposure
ZDI says the main mitigation involves restricting interaction with the product. Organizations should first identify systems running AnyDesk and determine whether local users or untrusted processes can interact with the installation.
IT teams should limit local code execution, apply least-privilege controls and prevent unauthorized users from installing or launching software. Application control policies can also reduce the chance that an attacker uses an existing low-privilege foothold to exploit the flaws.
Security teams can monitor for unusual filesystem junction creation and unexpected files appearing in protected locations. These events do not automatically confirm exploitation, but they can provide useful indicators during an investigation.
- Inventory all endpoints running AnyDesk.
- Restrict local access to shared and support systems.
- Use application allowlisting where practical.
- Monitor unusual junction and reparse point activity.
- Review unexpected file creation by AnyDesk services.
- Watch for official AnyDesk updates and security notices.
- Consider restricting or removing AnyDesk from high-risk systems until a fix receives confirmation.
Risk Is Lower Than a Remote AnyDesk Exploit
The two flaws present a lower immediate risk than vulnerabilities that attackers can exploit remotely without authentication. Their CVSS scores reflect the need for local access, low privileges and a relatively complex attack sequence.
However, denial-of-service vulnerabilities can still disrupt help desks, managed service providers and organizations that rely on AnyDesk for unattended remote support. An attacker who has already compromised a low-privilege account could use the flaws to interfere with recovery or support operations.
Administrators should treat the vulnerabilities as part of a wider defense-in-depth problem. Preventing unauthorized local code execution remains the most important control while organizations wait for clear version and patch information.
FAQ
CVE-2026-15682 is a local denial-of-service vulnerability in AnyDesk’s Send Support Information feature. It allows a low-privilege attacker to abuse a filesystem junction and make the service create files in unintended locations.
Not directly. Both vulnerabilities require the attacker to execute low-privilege code on the targeted system before attempting exploitation.
CVE-2026-15681 is a related AnyDesk denial-of-service vulnerability involving the handling of screen recording files. It also relies on filesystem junction manipulation.
The public ZDI advisories do not identify specific affected or fixed AnyDesk versions. Administrators should monitor AnyDesk’s official communications for confirmed version information.
The ZDI advisories do not reference a vendor patch. Organizations should not assume the flaws have been fixed until AnyDesk publishes confirmation or ZDI updates its advisories.
The public advisories do not report active exploitation. ZDI uses the zero-day label because the vulnerabilities became public without a confirmed fix.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages