CVE-2022-32450 Overview
CVE-2022-32450 is a local privilege escalation vulnerability affecting AnyDesk 7.0.9, a widely-used remote desktop application. The vulnerability allows a local user to escalate privileges to SYSTEM level through a symbolic link attack (symlink attack). This occurs because users can write to their own %APPDATA% folder, which is used for ad.trace and chat files, while the AnyDesk service runs as SYSTEM when writing chat-room data to that same location.
Critical Impact
A low-privileged local user can leverage this vulnerability to gain complete SYSTEM-level access on Windows systems running AnyDesk 7.0.9, potentially leading to full system compromise.
Affected Products
- AnyDesk 7.0.9
Discovery Timeline
- 2022-07-18 - CVE-2022-32450 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-32450
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The core issue stems from a race condition scenario where the AnyDesk application operates with elevated SYSTEM privileges while writing to user-controlled directories.
When AnyDesk processes chat-room data, it writes files to the user's %APPDATA% directory. Since standard users have full write access to their own %APPDATA% folder, an attacker can create symbolic links within this directory that point to sensitive system locations. When the AnyDesk service (running as SYSTEM) follows these symbolic links to write data, it inadvertently writes to the attacker-specified target location with SYSTEM-level privileges.
This privilege mismatch between file access permissions and service execution context creates an exploitable condition for local privilege escalation.
Root Cause
The root cause of this vulnerability lies in the improper handling of file operations when the AnyDesk service writes to user-controlled directories. The application fails to validate whether the target path contains symbolic links before performing write operations with elevated privileges. Specifically:
- The AnyDesk service runs with SYSTEM privileges
- It writes chat data and trace files (ad.trace, chat files) to the user's %APPDATA% folder
- The application does not implement proper checks to prevent symbolic link following
- This allows users to redirect SYSTEM-level file writes to arbitrary locations
Attack Vector
The attack requires local access to the target system and involves the following general methodology:
- The attacker identifies the AnyDesk data directory within their %APPDATA% folder
- A symbolic link (junction point on Windows) is created that redirects the expected write location to a sensitive system file or directory
- When AnyDesk's SYSTEM-level service attempts to write chat or trace data, it follows the symbolic link
- The file write occurs at the attacker-controlled destination with SYSTEM privileges
- By targeting specific system files or directories, the attacker can achieve privilege escalation or denial of service
The vulnerability can be exploited for arbitrary file write operations, which may result in denial of service conditions or, in sophisticated attack scenarios, complete privilege escalation to SYSTEM level. Technical details and proof-of-concept information are available in the Packet Storm security advisory and Full Disclosure mailing list posts.
Detection Methods for CVE-2022-32450
Indicators of Compromise
- Presence of symbolic links or junction points in user %APPDATA%\AnyDesk directories pointing to system locations
- Unexpected file modifications in system directories coinciding with AnyDesk service activity
- Anomalous file system activity involving the AnyDesk process writing to locations outside its expected directories
- Creation of junction points or symbolic links by non-administrative users in AnyDesk-related folders
Detection Strategies
- Monitor file system operations for symbolic link creation within %APPDATA% directories, particularly those associated with AnyDesk
- Implement endpoint detection rules to alert on the AnyDesk service writing to unexpected system paths
- Use Windows Sysmon or similar tools to track file creation events (Event ID 11) and detect anomalous write patterns from the AnyDesk service
- Audit junction point and symbolic link creation events on endpoints where AnyDesk is installed
Monitoring Recommendations
- Enable detailed file system auditing on Windows systems running vulnerable AnyDesk versions
- Configure SIEM rules to correlate AnyDesk service activity with file operations in system-critical directories
- Monitor for privilege escalation attempts following AnyDesk-related file operations
- Review endpoint logs for any creation of symbolic links by standard user accounts in application data directories
How to Mitigate CVE-2022-32450
Immediate Actions Required
- Upgrade AnyDesk to a version newer than 7.0.9 where this vulnerability has been addressed
- Conduct an inventory of all systems running AnyDesk 7.0.9 and prioritize patching based on risk assessment
- Consider temporarily restricting AnyDesk usage or isolating affected systems until patches can be applied
- Review user access on systems where AnyDesk is deployed to identify potential insider threat scenarios
Patch Information
AnyDesk users should update to the latest available version from the official AnyDesk website. The vendor has addressed this vulnerability in subsequent releases. Organizations should verify the installed AnyDesk version across their environment and apply updates through their standard software deployment processes.
Workarounds
- Implement application whitelisting to prevent unauthorized symbolic link creation in AnyDesk directories
- Use Windows security policies to restrict symbolic link creation by non-administrative users where possible
- Deploy file integrity monitoring on the %APPDATA%\AnyDesk directory to detect unauthorized modifications
- Consider running AnyDesk with reduced privileges where operationally feasible, though this may impact functionality
# Check installed AnyDesk version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "*AnyDesk*" } |
Select-Object DisplayName, DisplayVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
