CVE-2025-27917: AnyDesk Remote Denial of Service Vulnerability

CVE-2025-27917 Overview

CVE-2025-27917 is a remote denial of service vulnerability affecting multiple versions of the AnyDesk remote desktop software across Windows, macOS, Linux, iOS, and Android platforms. The flaw stems from incorrect deserialization of attacker-supplied data, which triggers a failed memory allocation followed by a NULL pointer dereference [CWE-476]. An unauthenticated remote attacker can exploit this issue over the network to crash the AnyDesk client without any user interaction. The vulnerability does not impact confidentiality or integrity but produces a high availability impact, disrupting remote support and administration workflows that rely on AnyDesk connectivity.

Critical Impact

Unauthenticated remote attackers can crash AnyDesk clients across all major platforms, interrupting remote desktop sessions and support operations.

Affected Products

• AnyDesk for Windows before 9.0.5
• AnyDesk for macOS before 9.0.1
• AnyDesk for Linux before 7.0.0
• AnyDesk for iOS before 7.1.2
• AnyDesk for Android before 8.0.0

Discovery Timeline

• 2025-11-06 - CVE-2025-27917 published to NVD
• 2025-12-08 - Last updated in NVD database

Technical Details for CVE-2025-27917

Vulnerability Analysis

The vulnerability resides in the deserialization logic used by AnyDesk to parse incoming network data. When the client processes a malformed serialized message, the deserializer requests a memory allocation that subsequently fails. The code path does not validate the result of the allocation before dereferencing the returned pointer. This produces a NULL pointer dereference that terminates the AnyDesk process.

The attack requires no authentication, no privileges, and no user interaction. An attacker with network reachability to a target running a vulnerable AnyDesk client can transmit crafted data and force the process to crash on demand. Repeated exploitation prevents legitimate remote desktop sessions and disrupts incident response or administrative workflows that depend on AnyDesk.

The EPSS probability is 0.507% as of the most recent scoring data, indicating limited observed exploit activity in the wild. No public proof-of-concept code is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Root Cause

The root cause is improper input validation during deserialization combined with missing error handling on a memory allocation failure. The code dereferences the returned pointer without confirming the allocation succeeded, satisfying the conditions described in CWE-476: NULL Pointer Dereference. Technical details are documented in the academic thesis published at Dspace Thesis Document.

Attack Vector

The attack vector is network-based. An attacker sends a crafted serialized payload to a vulnerable AnyDesk client. The deserializer attempts to allocate memory sized by attacker-controlled fields, the allocation fails, and the following access on the unchecked pointer crashes the process. No verified exploitation code is publicly available; refer to the AnyDesk Windows Changelog for vendor-published remediation notes.

Detection Methods for CVE-2025-27917

Indicators of Compromise

• Unexpected termination of the AnyDesk.exe process or its platform equivalents without a corresponding user action
• Crash dumps or Windows Error Reporting events referencing access violations inside the AnyDesk binary
• Inbound traffic on AnyDesk listener ports from unknown or untrusted source addresses immediately preceding a client crash

Detection Strategies

• Monitor endpoint telemetry for AnyDesk process exits with non-zero exit codes followed by automatic restarts
• Correlate application crash events with network connection logs to identify remote-triggered crashes
• Inspect endpoint detection and response (EDR) telemetry for repeated NULL pointer access violations originating from AnyDesk modules

Monitoring Recommendations

• Aggregate AnyDesk client version inventory across managed endpoints and flag hosts running versions below the fixed releases
• Alert on anomalous inbound connections to AnyDesk client ports from outside expected support address ranges
• Track repeat crashes of the AnyDesk service on the same host within short time windows as a potential exploitation signal

How to Mitigate CVE-2025-27917

Immediate Actions Required

• Upgrade AnyDesk to the fixed releases: Windows 9.0.5, macOS 9.0.1, Linux 7.0.0, iOS 7.1.2, and Android 8.0.0 or later
• Inventory all endpoints, mobile devices, and servers running AnyDesk and prioritize patching internet-exposed hosts
• Restrict inbound network access to AnyDesk clients using host or perimeter firewalls until patches are deployed

Patch Information

AnyDesk has released fixed versions across all affected platforms. Administrators should consult the AnyDesk Windows Changelog for release notes and download links. Deploy the updated clients through existing software management infrastructure and verify successful upgrades by checking the reported version on each endpoint.

Workarounds

• Limit AnyDesk client exposure by allowing inbound connections only from known support infrastructure addresses
• Disable the AnyDesk service on systems that do not require remote desktop functionality until patches are applied
• Enforce the AnyDesk access control list and unattended access password policies to reduce the attack surface during the patch window