CVE-2024-12754 Overview
CVE-2024-12754 is an information disclosure vulnerability in AnyDesk that allows local attackers to read arbitrary files on affected Windows systems. The vulnerability exists within the handling of background images, where an attacker with low-privileged code execution can abuse the AnyDesk service by creating a junction (a type of symbolic link on Windows). This link following flaw enables unauthorized access to sensitive files, including stored credentials that could lead to further system compromise.
Critical Impact
Local attackers can leverage this vulnerability to read arbitrary files on the system, potentially disclosing stored credentials and enabling further compromise of the affected system.
Affected Products
- AnyDesk version 8.0.9 for Windows
- AnyDesk installations on Windows systems
Discovery Timeline
- 2024-12-30 - CVE-2024-12754 published to NVD
- 2025-08-14 - Last updated in NVD database
Technical Details for CVE-2024-12754
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as a "link following" vulnerability. The flaw resides in how AnyDesk processes background image files. The AnyDesk service, which runs with elevated privileges, improperly follows symbolic links (specifically NTFS junctions) when accessing background image resources.
When the service attempts to read a background image file, it does not properly validate whether the file path resolves to a legitimate file or a junction pointing to a sensitive location. This allows an attacker with low-privileged access to create a junction that redirects the service's file read operation to arbitrary files on the system.
The vulnerability requires local access and the ability to execute low-privileged code on the target system. Once these conditions are met, an attacker can abuse the AnyDesk service to read files that would otherwise be inaccessible to their user account.
Root Cause
The root cause is improper link resolution before file access in the AnyDesk background image handling mechanism. The service fails to validate that file paths do not traverse through symbolic links or junctions before performing file read operations. This allows an attacker to abuse the elevated privileges of the AnyDesk service to access files outside the intended directory scope.
Attack Vector
The attack requires local access to the target system with the ability to execute code as a low-privileged user. The attacker creates an NTFS junction (directory symbolic link) that points from the expected background image location to a target file containing sensitive information. When the AnyDesk service processes the background image, it follows the junction and reads the attacker-specified file with elevated privileges.
This technique enables the attacker to read sensitive files such as stored credentials, configuration files, or other protected data. The disclosed information can then be used to escalate privileges or move laterally within the network.
The vulnerability was tracked by the Zero Day Initiative as ZDI-CAN-23940 and published as ZDI-24-1711.
Detection Methods for CVE-2024-12754
Indicators of Compromise
- Unusual junction or symbolic link creation in AnyDesk-related directories
- AnyDesk service accessing files outside its normal operational scope
- Unexpected file access patterns by the AnyDesk process, particularly to credential stores or sensitive configuration files
Detection Strategies
- Monitor for creation of NTFS junctions in directories associated with AnyDesk background images or user data
- Implement file integrity monitoring on sensitive credential stores and configuration files
- Use endpoint detection and response (EDR) solutions to track file access by the AnyDesk service
- Review Windows Security logs for suspicious symbolic link creation events
Monitoring Recommendations
- Enable detailed file system auditing for AnyDesk installation and user data directories
- Configure alerts for AnyDesk service processes accessing files outside expected paths
- Implement SentinelOne Singularity to monitor for link following attack patterns and anomalous file access behavior
How to Mitigate CVE-2024-12754
Immediate Actions Required
- Update AnyDesk to the latest available version that addresses this vulnerability
- Restrict local access to systems running AnyDesk to trusted users only
- Monitor for any signs of exploitation using endpoint detection solutions
- Review and audit any accounts that may have been compromised through credential disclosure
Patch Information
Review the Zero Day Initiative Advisory ZDI-24-1711 for detailed information about the vulnerability. Contact AnyDesk or check the official AnyDesk website for the latest security updates and patch availability.
Workarounds
- Implement strict access controls to limit which users can execute code on systems running AnyDesk
- Use application whitelisting to prevent unauthorized programs from creating symbolic links in sensitive directories
- Deploy SentinelOne Singularity endpoint protection to detect and prevent exploitation attempts
- Consider network segmentation to limit the impact of potential credential disclosure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
