Friday, May 23, 2025
HomeCVE/vulnerabilityAnyDesk Flaw Allows Admin Access Through Weaponized Windows Wallpapers

AnyDesk Flaw Allows Admin Access Through Weaponized Windows Wallpapers

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity enthusiasts and IT administrators worldwide are voicing concerns over a newly discovered vulnerability in AnyDesk that could lead to local privilege escalation (LPE).

The vulnerability, identified as CVE-2024-12754 and coordinated by Trend Micro’s Zero Day Initiative, allows attackers to weaponize Windows background images for escalating permissions on Windows systems.

A Closer Look at the Vulnerability

Discovered by security researcher Naor Hodorov, the flaw lies in the way the AnyDesk service handles background images during remote sessions.

- Advertisement - Google News

Specifically, when a session is initiated, AnyDesk copies the user’s background image into the C:\Windows\Temp directory using NT AUTHORITY\SYSTEM privileges.

File Copy operation performed by the AnyDesk service
File Copy operation performed by the AnyDesk service

Here’s the twist: A low-privileged user can manipulate this file-copy operation to gain access to otherwise restricted files and, ultimately, escalate their privileges.

By carefully pre-creating a target file in C:\Windows\Temp and exploiting file ownership inheritance behaviors, the attacker can execute an arbitrary file read or copy operation.

Exploiting the Vulnerability

To exploit this vulnerability for privilege escalation, the attacker follows these steps:

  1. Pre-Creation of Target Files: The attacker pre-creates a file in C:\Windows\Temp matching the name of the background image.
  2. Triggering AnyDesk’s File Copy Mechanism: They set their desktop background image to the desired file and establish a connection to their own AnyDesk ID. This triggers the file to be copied as NT AUTHORITY\SYSTEM.
  3. Manipulating File Ownership: Using directory reparse points and symbolic links, they redirect AnyDesk’s copy operation to sensitive system files, such as the SAMSYSTEM, and SECURITY files stored in Volume Shadow Copies (used for Restore Points).
  4. Extracting Credentials: By reading these files, the attacker gains access to hashes and credentials of local administrators and cached users, effectively gaining administrative rights on the system.
Seems like we got ourselves an Arbitrary File Read/Copy vulnerability!
Seems like we got ourselves an Arbitrary File Read/Copy vulnerability!

What makes this vulnerability dangerous is its potential simplicity. AnyDesk, a popular remote administration tool used by millions worldwide, is installed on enterprise and personal devices alike.

While the complexity of the attack chain may deter casual attackers, skilled adversaries could weaponize this for more sophisticated breaches.

Arbitrary File Copy Leading to Local Privilege Escalation
Arbitrary File Copy Leading to Local Privilege Escalation

The vulnerability was responsibly disclosed to AnyDesk Software GmbH on July 24, 2024, with public disclosure coordinated for December 19, 2024.

The credit for this discovery goes to Naor Hodorov, whose findings were facilitated by Trend Micro’s Zero Day Initiative.

Until a patch is released, users and administrators are urged to:

  • Restrict access to AnyDesk installations, particularly on high-value systems.
  • Regularly monitor and secure the C:\Windows\Temp directory.
  • Disable Volume Shadow Copies if not in use.

As organizations increasingly rely on remote access tools, this vulnerability serves as a stark reminder of the importance of regular security audits and timely patching.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks

The Russia-aligned threat actor TAG-110, also linked to UAC-0063 and APT28 (BlueDelta) with medium...

Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users

A sophisticated malware campaign deploying Winos 4.0, a memory-resident stager, has been uncovered by...

NETGEAR Router Flaw Allows Full Admin Access by Attackers

A severe authentication bypass vulnerability (CVE-2025-4978) has been uncovered in NETGEAR’s DGND3700v2 wireless routers,...

Operation Endgame Crushes DanaBot Malware, Shuts Down 150 C2 Servers and Halts 1,000 Daily Attacks

Operation Endgame II has delivered a devastating strike against DanaBot, a notorious malware that...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks

The Russia-aligned threat actor TAG-110, also linked to UAC-0063 and APT28 (BlueDelta) with medium...

Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users

A sophisticated malware campaign deploying Winos 4.0, a memory-resident stager, has been uncovered by...

NETGEAR Router Flaw Allows Full Admin Access by Attackers

A severe authentication bypass vulnerability (CVE-2025-4978) has been uncovered in NETGEAR’s DGND3700v2 wireless routers,...