Cyber Security News

AnyDesk Flaw Allows Admin Access Through Weaponized Windows Wallpapers

Cybersecurity enthusiasts and IT administrators worldwide are voicing concerns over a newly discovered vulnerability in AnyDesk that could lead to local privilege escalation (LPE).

The vulnerability, identified as CVE-2024-12754 and coordinated by Trend Micro’s Zero Day Initiative, allows attackers to weaponize Windows background images for escalating permissions on Windows systems.

A Closer Look at the Vulnerability

Discovered by security researcher Naor Hodorov, the flaw lies in the way the AnyDesk service handles background images during remote sessions.

Specifically, when a session is initiated, AnyDesk copies the user’s background image into the C:\Windows\Temp directory using NT AUTHORITY\SYSTEM privileges.

File Copy operation performed by the AnyDesk serviceFile Copy operation performed by the AnyDesk service
File Copy operation performed by the AnyDesk service

Here’s the twist: A low-privileged user can manipulate this file-copy operation to gain access to otherwise restricted files and, ultimately, escalate their privileges.

By carefully pre-creating a target file in C:\Windows\Temp and exploiting file ownership inheritance behaviors, the attacker can execute an arbitrary file read or copy operation.

Exploiting the Vulnerability

To exploit this vulnerability for privilege escalation, the attacker follows these steps:

  1. Pre-Creation of Target Files: The attacker pre-creates a file in C:\Windows\Temp matching the name of the background image.
  2. Triggering AnyDesk’s File Copy Mechanism: They set their desktop background image to the desired file and establish a connection to their own AnyDesk ID. This triggers the file to be copied as NT AUTHORITY\SYSTEM.
  3. Manipulating File Ownership: Using directory reparse points and symbolic links, they redirect AnyDesk’s copy operation to sensitive system files, such as the SAM, SYSTEM, and SECURITY files stored in Volume Shadow Copies (used for Restore Points).
  4. Extracting Credentials: By reading these files, the attacker gains access to hashes and credentials of local administrators and cached users, effectively gaining administrative rights on the system.
Seems like we got ourselves an Arbitrary File Read/Copy vulnerability!

What makes this vulnerability dangerous is its potential simplicity. AnyDesk, a popular remote administration tool used by millions worldwide, is installed on enterprise and personal devices alike.

While the complexity of the attack chain may deter casual attackers, skilled adversaries could weaponize this for more sophisticated breaches.

Arbitrary File Copy Leading to Local Privilege Escalation

The vulnerability was responsibly disclosed to AnyDesk Software GmbH on July 24, 2024, with public disclosure coordinated for December 19, 2024.

The credit for this discovery goes to Naor Hodorov, whose findings were facilitated by Trend Micro’s Zero Day Initiative.

Until a patch is released, users and administrators are urged to:

  • Restrict access to AnyDesk installations, particularly on high-value systems.
  • Regularly monitor and secure the C:\Windows\Temp directory.
  • Disable Volume Shadow Copies if not in use.

As organizations increasingly rely on remote access tools, this vulnerability serves as a stark reminder of the importance of regular security audits and timely patching.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Popular Instagram Blogger’s Account Hacked to Phish Users and Steal Banking Credentials

A high-profile Russian Instagram blogger recently fell victim to a sophisticated cyberattack, where scammers hijacked…

3 minutes ago

Ransomware Attacks on Food & Agriculture Industry Surge 100% – 84 Attacks in Just 3 Months

The food and agriculture industry is facing an unprecedented wave of cybersecurity threats in 2025,…

13 minutes ago

Microsoft 365 Copilot and Office Apps Now Protected by SafeLinks at Click Time

Microsoft announced a major update aimed at bolstering the cybersecurity of its flagship AI-powered productivity…

18 minutes ago

Hackers Targeting Schools and Universities in New Mexico with Cyber Attacks

A major cyberattack on the Coweta County School System's computer network occurred late Friday night, which is a worrying development for New Mexico's educational institutions. The unauthorized intrusion, detected around 7:00 p.m., prompted immediate action from the school…

19 minutes ago

Initial Access Brokers Play a Vital Role in Modern Ransomware Attacks

The ransomware threat landscape has evolved dramatically in recent years, with specialized cybercriminals like Initial…

26 minutes ago

Darcula PhaaS: 884,000 Credit Card Details Stolen from 13 Million Global User Clicks

The Darcula group has orchestrated a massive phishing-as-a-service (PhaaS) operation, dubbed Magic Cat, compromising an…

38 minutes ago