CVE-2019-25261 Overview
CVE-2019-25261 is an unquoted service path vulnerability affecting AnyDesk 5.4.0 on Windows systems. This security flaw exists in the Windows service configuration where the service executable path contains spaces but is not enclosed in quotation marks. This misconfiguration allows local attackers to potentially inject malicious executables into the service's execution path, enabling privilege escalation to SYSTEM-level access.
When Windows attempts to start a service with an unquoted path containing spaces, it sequentially attempts to execute binaries at each space-delimited segment of the path. An attacker with write access to any of these intermediate directory locations can place a malicious executable that Windows will execute with the service's elevated privileges instead of the intended AnyDesk binary.
Critical Impact
Local attackers can exploit the unquoted service path to achieve privilege escalation, potentially gaining SYSTEM-level access on affected Windows systems running AnyDesk 5.4.0.
Affected Products
- AnyDesk 5.4.0 for Windows
Discovery Timeline
- 2026-02-03 - CVE CVE-2019-25261 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2019-25261
Vulnerability Analysis
The vulnerability stems from improper handling of the service executable path in AnyDesk 5.4.0's Windows service registration. According to CWE-428 (Unquoted Search Path or Element), when software does not properly quote paths containing spaces, the operating system's path parsing logic can be exploited.
In Windows, when a service path like C:\Program Files\AnyDesk\AnyDesk.exe is registered without enclosing quotation marks, the Windows Service Control Manager (SCM) interprets the path ambiguously. Windows will attempt to execute in the following order:
- C:\Program.exe
- C:\Program Files\AnyDesk\AnyDesk.exe
If an attacker has write permissions to C:\, they can place a malicious executable named Program.exe at that location. When the AnyDesk service starts (typically at system boot or upon demand), Windows will execute the attacker's malicious binary with SYSTEM privileges before reaching the legitimate AnyDesk executable.
Root Cause
The root cause is the failure to enclose the service binary path in quotation marks during service registration. The Windows registry entry for the AnyDesk service stores the ImagePath value without proper quoting, enabling the path traversal exploitation technique. This is a classic example of insecure default configuration in Windows service deployment.
Attack Vector
This vulnerability requires local access to the target system. An attacker must have the ability to write files to a directory in the unquoted service path (such as C:\ for Program.exe or C:\Program Files\ for AnyDesk.exe). The attack is typically executed by:
- Identifying the unquoted service path via Windows service enumeration
- Determining write permissions on intermediate path locations
- Placing a malicious executable at a location Windows will attempt to execute first
- Waiting for or triggering a service restart
The malicious executable will then run with the same privileges as the AnyDesk service (typically SYSTEM), granting the attacker full control over the affected system.
Detection Methods for CVE-2019-25261
Indicators of Compromise
- Unexpected executables named Program.exe, AnyDesk.exe, or similar variants in root directories (C:\) or C:\Program Files\
- Unusual service behavior or startup failures for the AnyDesk service
- Newly created files in directories along the AnyDesk service path with recent timestamps
- Process execution logs showing unexpected binaries running with SYSTEM privileges
Detection Strategies
- Use PowerShell or WMI queries to enumerate services with unquoted paths: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^"' -and $_.PathName -match ' '}
- Monitor file creation events in high-privilege directories such as C:\ and C:\Program Files\
- Implement application whitelisting to prevent unauthorized executable execution
- Deploy endpoint detection solutions that can identify privilege escalation attempts
Monitoring Recommendations
- Enable Windows Security Event logging for service creation and modification events (Event ID 7045)
- Monitor for process creation events where parent process is services.exe but the child process is unexpected
- Configure file integrity monitoring on directories in the AnyDesk service path
- Alert on any executable creation in root directories or Program Files outside normal software installation patterns
How to Mitigate CVE-2019-25261
Immediate Actions Required
- Verify if your AnyDesk installation is version 5.4.0 by checking the application's Help > About menu or inspecting the file properties
- Manually correct the service path by adding quotation marks around the ImagePath registry value
- Audit write permissions on C:\ and C:\Program Files\ directories to ensure only administrators have write access
- Update AnyDesk to the latest available version that addresses this configuration issue
Patch Information
AnyDesk users should upgrade to a version newer than 5.4.0 that properly quotes the service path during installation. For additional technical details, refer to the VulnCheck AnyDesk Advisory and Exploit-DB #47883.
Workarounds
- Manually modify the registry to add quotation marks around the service path: Navigate to HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk and enclose the ImagePath value in double quotes
- Restrict write permissions on C:\ and intermediate directories in the service path to administrators only
- Implement application control policies to prevent execution of unauthorized binaries
- Consider uninstalling AnyDesk 5.4.0 if an immediate upgrade is not possible and the software is not critical
# Configuration example - Fix unquoted service path via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\" --service" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
