Tuesday, May 6, 2025
HomeCVE/vulnerabilityAnyDesk Flaw Allows Admin Access Through Weaponized Windows Wallpapers

AnyDesk Flaw Allows Admin Access Through Weaponized Windows Wallpapers

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity enthusiasts and IT administrators worldwide are voicing concerns over a newly discovered vulnerability in AnyDesk that could lead to local privilege escalation (LPE).

The vulnerability, identified as CVE-2024-12754 and coordinated by Trend Micro’s Zero Day Initiative, allows attackers to weaponize Windows background images for escalating permissions on Windows systems.

A Closer Look at the Vulnerability

Discovered by security researcher Naor Hodorov, the flaw lies in the way the AnyDesk service handles background images during remote sessions.

- Advertisement - Google News

Specifically, when a session is initiated, AnyDesk copies the user’s background image into the C:\Windows\Temp directory using NT AUTHORITY\SYSTEM privileges.

File Copy operation performed by the AnyDesk service
File Copy operation performed by the AnyDesk service

Here’s the twist: A low-privileged user can manipulate this file-copy operation to gain access to otherwise restricted files and, ultimately, escalate their privileges.

By carefully pre-creating a target file in C:\Windows\Temp and exploiting file ownership inheritance behaviors, the attacker can execute an arbitrary file read or copy operation.

Exploiting the Vulnerability

To exploit this vulnerability for privilege escalation, the attacker follows these steps:

  1. Pre-Creation of Target Files: The attacker pre-creates a file in C:\Windows\Temp matching the name of the background image.
  2. Triggering AnyDesk’s File Copy Mechanism: They set their desktop background image to the desired file and establish a connection to their own AnyDesk ID. This triggers the file to be copied as NT AUTHORITY\SYSTEM.
  3. Manipulating File Ownership: Using directory reparse points and symbolic links, they redirect AnyDesk’s copy operation to sensitive system files, such as the SAMSYSTEM, and SECURITY files stored in Volume Shadow Copies (used for Restore Points).
  4. Extracting Credentials: By reading these files, the attacker gains access to hashes and credentials of local administrators and cached users, effectively gaining administrative rights on the system.
Seems like we got ourselves an Arbitrary File Read/Copy vulnerability!
Seems like we got ourselves an Arbitrary File Read/Copy vulnerability!

What makes this vulnerability dangerous is its potential simplicity. AnyDesk, a popular remote administration tool used by millions worldwide, is installed on enterprise and personal devices alike.

While the complexity of the attack chain may deter casual attackers, skilled adversaries could weaponize this for more sophisticated breaches.

Arbitrary File Copy Leading to Local Privilege Escalation
Arbitrary File Copy Leading to Local Privilege Escalation

The vulnerability was responsibly disclosed to AnyDesk Software GmbH on July 24, 2024, with public disclosure coordinated for December 19, 2024.

The credit for this discovery goes to Naor Hodorov, whose findings were facilitated by Trend Micro’s Zero Day Initiative.

Until a patch is released, users and administrators are urged to:

  • Restrict access to AnyDesk installations, particularly on high-value systems.
  • Regularly monitor and secure the C:\Windows\Temp directory.
  • Disable Volume Shadow Copies if not in use.

As organizations increasingly rely on remote access tools, this vulnerability serves as a stark reminder of the importance of regular security audits and timely patching.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...