AnyPwn: The AnyDesk Pre-Auth 0-Click RCE That Exposes 10 Million+ Endpoints – Are You Patched? + Video

By /

Listen to this Post

Featured Image

Introduction:

A critical security vulnerability dubbed “AnyPwn” has been discovered in AnyDesk, the widely deployed remote desktop software used by over 10 million devices worldwide. Assigned CVE-2025-27918 with a CVSS score of 9.8 (Critical), this pre-authentication, zero-click remote code execution flaw allows an unauthenticated attacker to compromise vulnerable systems simply by sending a crafted UDP packet—no user interaction required. The vulnerability stems from an integer overflow that triggers a heap-based buffer overflow during processing of Identity user images within the Discovery feature or when establishing connections between clients.

Learning Objectives:

  • Understand the technical root cause of CVE-2025-27918 and its attack vectors
  • Learn to identify vulnerable AnyDesk versions across Windows, macOS, Linux, iOS, and Android platforms
  • Master step-by-step mitigation strategies including patching, firewall configuration, and network segmentation
  • Implement detection engineering techniques to identify exploitation attempts
  • Develop a comprehensive remote access hardening framework for enterprise environments

1. Understanding the AnyPwn Vulnerability: Technical Deep Dive

The AnyPwn vulnerability (CVE-2025-27918) represents a classic integer overflow leading to a heap-based buffer overflow. The flaw exists in how AnyDesk processes UDP packets containing Identity user images within the Discovery feature—a mechanism designed to automatically detect other AnyDesk clients on the local network.

When a vulnerable AnyDesk client receives a maliciously crafted UDP packet, an integer overflow occurs during memory allocation calculations. This causes the subsequent heap memory allocation to exceed expected boundaries, resulting in a buffer overflow that can overwrite adjacent memory locations. An attacker can leverage this to achieve arbitrary code execution with the privileges of the AnyDesk process.

Affected Versions:

  • Windows: AnyDesk before 9.0.5
  • macOS: AnyDesk before 9.0.1
  • Linux: AnyDesk before 7.0.0
  • iOS: AnyDesk before 7.1.2
  • Android: AnyDesk before 8.0.0

The attack requires no authentication, no user interaction, and can be executed remotely over the network, making it particularly dangerous for enterprise environments where AnyDesk is deployed for remote support and unattended access.

2. Identifying Vulnerable AnyDesk Installations

Before applying mitigations, organizations must identify all AnyDesk installations across their environment. Here are verification methods for each platform:

Windows – Registry Query:

Get-ItemProperty "HKLM:\SOFTWARE\AnyDesk" | Select-Object -ExpandProperty Version

Alternatively, use the AnyDesk command-line interface:

"C:\Program Files\AnyDesk\AnyDesk.exe" --version

Windows – Winget (Package Manager):

winget list AnyDesk.AnyDesk

macOS – Terminal:

/Applications/AnyDesk.app/Contents/MacOS/AnyDesk --version

Linux – Terminal:

anydesk --version
 or
dpkg -l | grep anydesk  Debian/Ubuntu
rpm -qa | grep anydesk  RHEL/CentOS

Enterprise Discovery – PowerShell Script:

$computers = Get-ADComputer -Filter  | Select-Object -ExpandProperty Name
foreach ($computer in $computers) {
if (Test-Connection $computer -Count 1 -Quiet) {
$version = Invoke-Command -ComputerName $computer -ScriptBlock {
Get-ItemProperty "HKLM:\SOFTWARE\AnyDesk" -ErrorAction SilentlyContinue |
Select-Object -ExpandProperty Version
}
if ($version -and [bash]$version -lt [bash]"9.0.5") {
Write-Output "$computer : $version - VULNERABLE"
}
}
}

3. Immediate Patching and Update Procedures

The primary mitigation is upgrading to patched versions: AnyDesk 9.0.5 or later for Windows, 9.0.1+ for macOS, 7.0.0+ for Linux, 7.1.2+ for iOS, and 8.0.0+ for Android.

Windows Silent Installation via Command Line:

AnyDesk.exe --silent --install "C:\Program Files\AnyDesk" --start-with-win

Windows – Winget Update:

winget upgrade AnyDesk.AnyDesk

macOS – Download and Install:

curl -L -o AnyDesk.dmg "https://download.anydesk.com/AnyDesk.dmg"
sudo hdiutil attach AnyDesk.dmg
sudo cp -R "/Volumes/AnyDesk/AnyDesk.app" /Applications/

Linux – Debian/Ubuntu:

wget -qO - https://keys.anydesk.com/repos/DEB-GPG-KEY | sudo apt-key add -
echo "deb http://deb.anydesk.com/ all main" | sudo tee /etc/apt/sources.list.d/anydesk-stable.list
sudo apt update
sudo apt install anydesk

Enterprise Deployment – Group Policy / RMM:

Deploy updates to all endpoints via your RMM tool with silent installation flags. Document deployment with timestamps—this documentation matters for insurance claims and compliance audits. Establish a policy that AnyDesk versions below the current patched release are not permitted to run in your environment, enforced through application control.

4. Firewall Hardening and Network Segmentation

Since the vulnerability is triggered via UDP packets, restricting network access to AnyDesk services significantly reduces the attack surface.

AnyDesk Default Ports:

  • TCP: 80, 443, 6568
  • UDP: 50001–50003 (used for Discovery feature)

Windows Firewall – Block UDP Ports via PowerShell:

New-1etFirewallRule -DisplayName "Block AnyDesk UDP Discovery" `
-Direction Inbound `
-Protocol UDP `
-LocalPort 50001-50003 `
-Action Block

Windows Firewall – Allow Only Specific IPs:

$AllowedIPs = @("192.168.1.0/24", "10.0.0.0/8")
foreach ($IP in $AllowedIPs) {
New-1etFirewallRule -DisplayName "Allow AnyDesk from $IP" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 6568 `
-RemoteAddress $IP `
-Action Allow
}

Linux – iptables Rules:

 Block UDP Discovery ports
iptables -A INPUT -p udp --dport 50001:50003 -j DROP

 Allow AnyDesk only from trusted subnets
iptables -A INPUT -p tcp --dport 6568 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6568 -j DROP

Network Segmentation:

Implement network segmentation to isolate systems running AnyDesk from critical infrastructure. Place remote access gateways in a dedicated DMZ with strict firewall rules limiting which internal systems can be accessed.

5. Disabling the Discovery Feature

The Discovery feature—which enables automatic detection of other AnyDesk clients on the local network—is the primary attack vector for CVE-2025-27918. If your organization does not require this functionality, disable it immediately.

Windows – Registry Configuration:

 Disable Discovery feature
New-ItemProperty -Path "HKLM:\SOFTWARE\AnyDesk" `
-1ame "DiscoveryEnabled" `
-Value 0 `
-PropertyType DWord `
-Force

Using AnyDesk Command Line:

AnyDesk.exe --set-settings DiscoveryEnabled=0

Configuration File (global.ad) – Windows:

Create or modify `C:\ProgramData\AnyDesk\global.ad`:

[bash]
DiscoveryEnabled=0

macOS/Linux – Configuration:

echo "[bash]" > /etc/anydesk/global.conf
echo "DiscoveryEnabled=0" >> /etc/anydesk/global.conf

6. Detection Engineering and Monitoring

Proactive detection is essential for identifying exploitation attempts. Monitor for the following indicators:

Windows Event Log Monitoring:

  • Event ID 4688 (Process Creation) – Monitor for unusual AnyDesk processes
  • Event ID 5156 (Windows Filtering Platform Connection) – Monitor UDP connections on ports 50001-50003
  • Event ID 7045 (Service Installation) – Detect unauthorized AnyDesk installations

PowerShell – Monitor UDP Connections:

Get-1etUDPEndpoint | Where-Object { $<em>.LocalPort -ge 50001 -and $</em>.LocalPort -le 50003 }

Network Traffic Analysis:

Monitor for anomalous UDP traffic to ports 50001-50003, especially from untrusted IP addresses. AnyDesk’s Discovery feature uses these ports for local network device identification.

SIEM Detection Rule (Splunk QL):

index=windows source="WinEventLog:Security"
(EventCode=5156 AND Protocol=17 AND Destination_Port>=50001 AND Destination_Port<=50003)
| stats count by Source_IP, Destination_IP, Destination_Port
| where count > threshold

Sigma Rule (YAML):

title: AnyDesk Discovery Feature Network Activity
status: experimental
description: Detects UDP traffic on AnyDesk Discovery ports
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
Protocol: 17
DestinationPort:
- 50001
- 50002
- 50003
condition: selection

File Integrity Monitoring:

Monitor for unauthorized modifications to AnyDesk binaries and configuration files in `C:\Program Files\AnyDesk\` and C:\ProgramData\AnyDesk\.

7. Comprehensive Remote Access Hardening

Beyond patching CVE-2025-27918, implement a zero-trust approach for all remote access tools:

Enable Two-Factor Authentication (TOTP):

Enable TOTP-based two-factor authentication for all My AnyDesk portal accounts, enforced by administrative policy. This eliminates credential stuffing as an attack vector.

Restrict Unattended Access:

AnyDesk’s “unattended access” feature allows connections without a human present to accept the session. This represents a significant attack surface. Restrict this feature to only essential systems and enforce strong password policies.

Rotate Credentials:

Given that AnyDesk account credentials have been confirmed on dark web markets, any password existing prior to the breach should be treated as potentially compromised. Change passwords for all AnyDesk accounts—My AnyDesk portal, service accounts, and any embedded credentials in scripts or automation.

Application Control:

Implement application whitelisting to prevent unauthorized AnyDesk executables from running. Use Windows Defender Application Control or third-party solutions.

ThreatLocker RingFencing:

Consider implementing ThreatLocker RingFencing to restrict AnyDesk’s ability to execute other processes or access sensitive system resources.

What Undercode Say:

  • Key Takeaway 1: CVE-2025-27918 (AnyPwn) is a CVSS 9.8 critical vulnerability affecting all major AnyDesk platforms. The pre-authentication, zero-click nature makes it an extremely high-priority patch—attackers need only network access to compromise vulnerable systems.

  • Key Takeaway 2: Organizations must immediately inventory all AnyDesk installations, patch to version 9.0.5 (Windows), 9.0.1 (macOS), 7.0.0 (Linux), or newer, and implement compensating controls including firewall rules blocking UDP ports 50001-50003 and disabling the Discovery feature where not required.

  • Key Takeaway 3: This vulnerability underscores the broader risk of remote access tools in enterprise environments. Beyond patching, organizations should implement zero-trust architecture, enforce MFA, restrict unattended access, and maintain continuous monitoring for suspicious network activity.

  • Key Takeaway 4: Detection engineering is critical—monitor Windows Event IDs 4688, 5156, and 7045, implement SIEM rules for UDP traffic on ports 50001-50003, and consider Sigma rules for standardized detection across security tools.

  • Key Takeaway 5: The AnyPwn disclosure highlights the importance of vendor transparency and rapid patch deployment. AnyDesk released fixes in versions 9.0.0 and later, but many organizations remain vulnerable due to delayed patching cycles.

Prediction:

  • +1 The rapid disclosure and public availability of CVE-2025-27918 details will drive accelerated patch adoption among security-conscious organizations, potentially reducing the window of exploitation for proactive enterprises.

  • -1 Given the existence of a proof-of-concept exploit and the critical CVSS score, threat actors will likely incorporate this vulnerability into automated attack frameworks within weeks, targeting unpatched systems across all platforms.

  • -1 Organizations with legacy infrastructure or slow patch management cycles face significant risk, particularly MSPs and SMEs that rely heavily on AnyDesk for remote support but lack dedicated security teams.

  • +1 This vulnerability will accelerate the adoption of zero-trust remote access architectures, pushing organizations toward solutions with built-in MFA, session recording, and continuous verification rather than relying solely on perimeter defenses.

  • -1 The interconnected nature of remote access tools means a single unpatched endpoint can serve as an entry point for lateral movement and ransomware deployment, as demonstrated in the 2024 AnyDesk breach.

  • +1 Security vendors will likely release dedicated detection rules and scanning tools for CVE-2025-27918, enabling automated vulnerability assessment and reducing the manual effort required for enterprise remediation.

▶️ Related Video (78% Match):

https://www.youtube.com/watch?v=3knGX4pZsJQ

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Thanasis Papathanasiou – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: