CVE-2024-52940 Overview
CVE-2024-52940 is an information disclosure vulnerability affecting AnyDesk versions through 8.1.0 on Windows. When the Allow Direct Connections feature is enabled, the application inadvertently exposes the public IP address of a connected client within network traffic. An attacker who knows the victim's AnyDesk ID can trigger a connection and capture the exposed IP address. The vulnerability is classified under CWE-532: Insertion of Sensitive Information into Log File and carries a CVSS score of 7.5.
Critical Impact
Remote attackers with knowledge of a target's AnyDesk ID can deanonymize users by extracting their public IP address from network traffic without any user interaction.
Affected Products
- AnyDesk for Windows versions through 8.1.0
- Installations with Allow Direct Connections enabled
- Standard, custom, and portable AnyDesk Windows clients within the affected version range
Discovery Timeline
- 2024-11-18 - CVE-2024-52940 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-52940
Vulnerability Analysis
The vulnerability resides in how AnyDesk establishes peer-to-peer sessions when Allow Direct Connections is enabled. This setting permits clients to bypass AnyDesk relay servers and connect directly for lower latency. During direct connection negotiation, the client exposes its public IP address within network traffic observable by the remote peer. An attacker initiating a connection to a known AnyDesk ID can capture this address using a network sniffer or a purpose-built tool such as the Abdal AnyDesk Remote IP Detector. The flaw enables deanonymization of remote users, exposing them to follow-on reconnaissance, geolocation, or targeted network attacks.
Root Cause
The issue stems from improper handling of sensitive network metadata during direct peer negotiation [CWE-532]. The AnyDesk client transmits identifying network information without sufficient masking or relay obfuscation when direct connections are permitted. Users who enable the feature for performance reasons unknowingly broadcast their real public IP to any peer that initiates a session with their AnyDesk ID. The vendor Anydesk Changelog tracks subsequent client changes.
Attack Vector
Exploitation requires the attacker to know the victim's AnyDesk ID, which is a numeric identifier often shared during support interactions or harvested through social engineering. The attacker initiates a direct connection while running a packet capture tool to observe the negotiation traffic. The victim's public IP appears in the captured packets without any authentication, authorization, or user interaction beyond their machine being online. No code execution or system compromise occurs, but the disclosed IP enables follow-on attacks such as network scanning, denial of service, or targeted phishing.
The exploitation pattern is demonstrated in the open-source tool referenced above,
which initiates a direct AnyDesk session against a known ID and parses the resulting
network traffic to extract the remote peer's public IP address. No proof-of-concept
code is reproduced here; refer to the linked repository for technical details.
Detection Methods for CVE-2024-52940
Indicators of Compromise
- Unexpected inbound AnyDesk connection attempts from unknown AnyDesk IDs
- Outbound traffic from AnyDesk.exe to unfamiliar external IP addresses on TCP port 7070 or peer-to-peer ports
- Repeated short-duration direct connections that terminate before a session is established
- Log entries in %APPDATA%\AnyDesk\ad.trace showing aborted incoming session requests
Detection Strategies
- Monitor endpoint telemetry for AnyDesk.exe processes initiating outbound direct connections rather than using relay servers
- Inspect firewall logs for short-lived AnyDesk peer-to-peer sessions originating from unexpected external sources
- Correlate AnyDesk connection attempts with the source AnyDesk ID and flag IDs not on an internal allowlist
- Review AnyDesk client trace files for direct connection negotiations followed by immediate disconnects
Monitoring Recommendations
- Centralize AnyDesk trace logs into a SIEM and alert on incoming connection attempts from non-approved AnyDesk IDs
- Track the count of distinct remote peers connecting to each internal AnyDesk client over rolling windows
- Alert when AnyDesk processes establish direct peer-to-peer sockets on hosts where relay-only policy is expected
How to Mitigate CVE-2024-52940
Immediate Actions Required
- Disable the Allow Direct Connections option in AnyDesk client settings on all Windows endpoints
- Force AnyDesk traffic to route through vendor relay servers to prevent direct peer exposure
- Restrict AnyDesk usage to approved AnyDesk IDs using the access control list feature in client settings
- Update AnyDesk to the latest available release tracked in the Anydesk Changelog
Patch Information
At the time of NVD publication, the advisory references the vendor Anydesk Changelog for version tracking. Administrators should review the changelog for the first build that addresses direct connection IP exposure and deploy it across all Windows endpoints. Until a confirmed fix is installed, the configuration workarounds below should be enforced through group policy or the AnyDesk MSI configuration.
Workarounds
- Set ad.anynet.allow_direct_connections=false in the AnyDesk configuration file to disable direct connections
- Deploy AnyDesk through a custom client build with direct connections disabled by default
- Place AnyDesk endpoints behind a VPN or proxy so the exposed IP does not reveal the user's true location
- Limit inbound AnyDesk connections to known partner AnyDesk IDs using the built-in allowlist
# Configuration example: disable direct connections in AnyDesk system config
# File: %PROGRAMDATA%\AnyDesk\system.conf
ad.anynet.allow_direct_connections=false
ad.security.interactive_access=2
ad.features.allow_tcp_tunneling=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
