Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2016-20094

CVE-2016-20094: AnyDesk Privilege Escalation Vulnerability

CVE-2016-20094 is a privilege escalation vulnerability in AnyDesk 2.5.0 caused by an unquoted service path. Attackers can gain SYSTEM privileges by placing malicious executables in the system root path.

Published:

CVE-2016-20094 Overview

CVE-2016-20094 is an unquoted service path vulnerability in AnyDesk 2.5.0 that allows local attackers to execute arbitrary code with SYSTEM privileges. The Windows service installed by AnyDesk registers an executable path that lacks proper quoting, causing the Windows Service Control Manager to interpret spaces in the path as delimiters. A local user who can write to a higher-level directory in the path can plant a malicious executable that runs at service startup or system reboot. The flaw is tracked under CWE-428 (Unquoted Search Path or Element).

Critical Impact

Local low-privileged users can achieve SYSTEM-level code execution by placing a crafted binary along the unquoted service path, leading to full local privilege escalation.

Affected Products

  • AnyDesk 2.5.0 for Windows
  • AnyDesk Windows service installations using the vulnerable installer build
  • Endpoints where the AnyDesk service runs with LocalSystem privileges

Discovery Timeline

  • 2016-10-04 - Public proof-of-concept published as Exploit-DB #40410
  • 2026-06-19 - CVE-2016-20094 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2016-20094

Vulnerability Analysis

The vulnerability stems from how AnyDesk 2.5.0 registers its Windows service ImagePath in the registry without surrounding the path with quotation marks. When the Windows Service Control Manager (SCM) parses an unquoted path containing spaces, it attempts to execute each token before a space, appended with .exe. If an attacker controls a writable directory matching one of those tokens, the SCM launches the attacker-supplied binary instead of the intended AnyDesk executable. Because the AnyDesk service is configured to run as LocalSystem, the planted binary inherits full SYSTEM privileges. The issue is a classic instance of CWE-428, commonly exploited for local privilege escalation on Windows hosts.

Root Cause

The installer writes the service binary location to the registry value HKLM\SYSTEM\CurrentControlSet\Services\<AnyDeskService>\ImagePath as an unquoted string such as C:\Program Files\AnyDesk\AnyDesk.exe. The space between Program and Files causes Windows to evaluate candidate executables like C:\Program.exe before reaching the intended target. The absence of input validation on path quoting during service registration is the underlying defect.

Attack Vector

Exploitation requires local access and the ability to write a binary to a directory earlier in the resolution chain, for example C:\Program.exe. On systems where the root of the system drive is writable by non-administrative users, any authenticated local user can drop a payload and wait for the service to restart or the host to reboot. Refer to the VulnCheck Advisory for AnyDesk and Exploit-DB #40410 for the published technique. No network access, user interaction, or social engineering is required once local foothold is established.

Detection Methods for CVE-2016-20094

Indicators of Compromise

  • Presence of unexpected executables at the root of system drives, such as C:\Program.exe, C:\Program Files\Common.exe, or similar token-aligned binaries.
  • Windows service ImagePath values for AnyDesk that do not begin and end with quotation marks.
  • Service start events (Event ID 7036) for the AnyDesk service immediately followed by execution of a non-AnyDesk binary under SYSTEM.
  • New child processes of services.exe whose image path does not reside in the AnyDesk install directory.

Detection Strategies

  • Enumerate all service ImagePath registry values and flag entries that contain spaces but are not enclosed in quotes.
  • Hunt for file creation events targeting writable root directories on system volumes, particularly executables named after path tokens.
  • Correlate service start events with parent-child process lineage where services.exe spawns binaries outside trusted install paths.
  • Use endpoint telemetry to track binaries executing as NT AUTHORITY\SYSTEM shortly after boot or service restart.

Monitoring Recommendations

  • Enable Windows Security and System event logging and forward Service Control Manager events to a centralized log platform.
  • Monitor registry writes to HKLM\SYSTEM\CurrentControlSet\Services\*\ImagePath for modifications and unquoted values.
  • Audit ACLs on the root of every fixed drive to ensure non-administrators cannot create files such as C:\Program.exe.
  • Alert on any new executable creation in directories that should not contain binaries, including drive roots and C:\Program Files siblings.

How to Mitigate CVE-2016-20094

Immediate Actions Required

  • Upgrade AnyDesk to a current supported release that ships with a properly quoted service path; do not continue running version 2.5.0.
  • Inventory all Windows endpoints for the vulnerable AnyDesk service and remove or update any instance found.
  • Restrict write permissions on the root of system drives so standard users cannot place executables along service search paths.
  • Verify that no rogue binaries already exist at predictable token locations such as C:\Program.exe.

Patch Information

No vendor patch identifier is listed in the NVD record. The remediation path is to install a current release from the AnyDesk download page, which uses a quoted service ImagePath. Confirm the fix by inspecting the registry value for the AnyDesk service after upgrade and ensuring the full path is wrapped in double quotes. Additional context is available in the VulnCheck Advisory for AnyDesk.

Workarounds

  • Manually correct the affected service ImagePath value to wrap the executable path in double quotes, then restart the service.
  • Harden filesystem ACLs on drive roots and Program Files parents to deny Write and Create Files rights to non-administrative principals.
  • Where AnyDesk is not required, uninstall the application and remove its service entry.
bash
# Inspect the AnyDesk service path for missing quotes
sc qc AnyDesk

# Repair the unquoted ImagePath (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\" --service" /f

# Restart the service to apply the change
sc stop AnyDesk
sc start AnyDesk

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.