CVE-2025-27917 Overview
CVE-2025-27917 is a remote denial of service vulnerability affecting multiple AnyDesk remote access clients across desktop and mobile platforms. The flaw stems from incorrect deserialization logic that triggers a failed memory allocation followed by a NULL pointer dereference [CWE-476]. A remote attacker can send crafted data to the AnyDesk service and crash the client process without authentication or user interaction. The vulnerability impacts AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0.
Critical Impact
Unauthenticated remote attackers can crash AnyDesk clients across Windows, macOS, Linux, iOS, and Android, disrupting remote support and administration sessions.
Affected Products
- AnyDesk for Windows before 9.0.5
- AnyDesk for macOS before 9.0.1
- AnyDesk for Linux before 7.0.0, iOS before 7.1.2, and Android before 8.0.0
Discovery Timeline
- 2025-11-06 - CVE-2025-27917 published to NVD
- 2025-12-08 - Last updated in NVD database
Technical Details for CVE-2025-27917
Vulnerability Analysis
The vulnerability resides in the deserialization routines used by the AnyDesk client to parse incoming network messages. When the client processes a malformed serialized object, the deserializer requests a memory allocation that fails or returns an invalid size. The code path does not validate the allocation result before dereferencing the resulting pointer. The subsequent NULL pointer dereference terminates the AnyDesk process, severing any active remote session and preventing reconnection until the service restarts. The flaw affects the impacted versions across all major AnyDesk-supported platforms, indicating the defect lives in shared protocol-handling code rather than a platform-specific module.
Root Cause
The root cause is improper validation during deserialization. The client trusts attacker-controlled length or type fields when computing an allocation size, then operates on the returned pointer without confirming the allocation succeeded. This pattern maps directly to [CWE-476] NULL Pointer Dereference and reflects missing error handling on the allocation path.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker reachable on the AnyDesk listening port can deliver a crafted message that triggers the faulty deserialization branch. Because AnyDesk is frequently deployed for unattended remote administration, repeated exploitation can deny administrators access to managed endpoints. The vulnerability does not provide code execution or data exposure; impact is limited to availability of the AnyDesk client. Detailed exploitation analysis is documented in the Czech Technical University Thesis that accompanies the disclosure.
Detection Methods for CVE-2025-27917
Indicators of Compromise
- Unexpected crashes or restarts of the AnyDesk.exe process or platform equivalents on hosts running vulnerable client versions.
- Windows Application or Reliability event log entries referencing access violations in the AnyDesk binary.
- Inbound TCP traffic to AnyDesk listening ports from unexpected external addresses immediately preceding a client crash.
Detection Strategies
- Inventory installed AnyDesk versions across endpoints and flag any host running a version below the fixed release for its platform.
- Correlate AnyDesk process termination events with preceding network connections to identify potential remote DoS attempts.
- Monitor crash dump generation tied to the AnyDesk process to surface repeated exploitation attempts against the same host.
Monitoring Recommendations
- Alert on repeated AnyDesk service restarts within short time windows on a single endpoint.
- Track failed inbound connections to AnyDesk ports from non-corporate source addresses.
- Review remote support session logs for abnormal disconnections that align with client crashes.
How to Mitigate CVE-2025-27917
Immediate Actions Required
- Upgrade AnyDesk for Windows to 9.0.5 or later, macOS to 9.0.1 or later, Linux to 7.0.0 or later, iOS to 7.1.2 or later, and Android to 8.0.0 or later.
- Restrict inbound access to AnyDesk listening ports using host and network firewalls so only trusted source addresses can reach the client.
- Disable unattended access on endpoints that do not require it until patching is complete.
Patch Information
AnyDesk has released fixed builds for every affected platform. Refer to the AnyDesk Windows Changelog for Windows release notes and obtain corresponding macOS, Linux, iOS, and Android updates from the official AnyDesk download channels. Apply the patched versions across managed and BYOD endpoints before re-enabling external access.
Workarounds
- Block external inbound traffic to AnyDesk and require connections to traverse a managed relay or VPN.
- Enforce the AnyDesk access control list to permit only known client IDs, reducing exposure to opportunistic remote DoS traffic.
- Temporarily stop the AnyDesk service on critical endpoints if patching cannot be completed in the near term.
# Example: restrict inbound AnyDesk traffic on Windows to a trusted subnet
New-NetFirewallRule -DisplayName "AnyDesk-Restrict-Inbound" `
-Direction Inbound -Program "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" `
-RemoteAddress 10.0.0.0/8 -Action Allow
New-NetFirewallRule -DisplayName "AnyDesk-Block-Other-Inbound" `
-Direction Inbound -Program "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" `
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

