CVE-2025-27918 Overview
CVE-2025-27918 is a critical integer overflow vulnerability affecting AnyDesk remote desktop software across multiple platforms. The vulnerability exists in the processing of Identity user images within the Discovery feature and during connection establishment between clients. A maliciously crafted UDP packet can trigger an integer overflow, which leads to a heap-based buffer overflow condition. This vulnerability allows remote attackers to potentially execute arbitrary code or cause a denial of service without requiring authentication or user interaction.
Critical Impact
Remote attackers can exploit this vulnerability via specially crafted UDP packets to trigger a heap-based buffer overflow, potentially leading to remote code execution or denial of service across all major AnyDesk platforms.
Affected Products
- AnyDesk for Windows before version 9.0.5
- AnyDesk for macOS before version 9.0.1
- AnyDesk for Linux before version 7.0.0
- AnyDesk for iOS before version 7.1.2
- AnyDesk for Android before version 8.0.0
Discovery Timeline
- 2025-11-06 - CVE-2025-27918 published to NVD
- 2025-12-08 - Last updated in NVD database
Technical Details for CVE-2025-27918
Vulnerability Analysis
This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The flaw occurs when AnyDesk processes Identity user image data received via UDP packets during the Discovery feature operation or when establishing connections between clients. When a maliciously crafted packet containing oversized or specially calculated image dimension values is processed, an integer overflow occurs during memory allocation calculations. This results in an undersized heap buffer being allocated, which subsequently causes a heap-based buffer overflow when the actual image data is written to the buffer.
The network-based attack vector means that any system running a vulnerable version of AnyDesk with the Discovery feature enabled or accepting incoming connections is potentially at risk. The vulnerability requires no privileges and no user interaction, making it particularly dangerous in enterprise environments where AnyDesk may be deployed across numerous endpoints.
Root Cause
The root cause is improper validation of user-supplied image dimension values before performing arithmetic operations for memory allocation. When these dimensions are processed, the multiplication operation used to calculate buffer size can overflow, wrapping around to a small value. The application then allocates a buffer based on this incorrect, smaller size while proceeding to write the full image data, resulting in heap memory corruption.
Attack Vector
The attack can be executed remotely over the network by sending a specially crafted UDP packet to a vulnerable AnyDesk installation. The Discovery feature, which allows AnyDesk clients to find other clients on the local network, processes these packets automatically. Additionally, the vulnerability can be triggered during the connection handshake process between any two AnyDesk clients, expanding the attack surface beyond just local network scenarios.
The attacker would craft a UDP packet containing Identity user image data with malicious dimension values designed to cause an integer overflow. When the target AnyDesk client processes this packet, the integer overflow leads to heap corruption, which could be leveraged for remote code execution or to crash the application. For more technical details, refer to the CVUT thesis document linked in the references.
Detection Methods for CVE-2025-27918
Indicators of Compromise
- Anomalous UDP traffic patterns targeting AnyDesk ports (default port 7070) with unusually large or malformed packets
- AnyDesk process crashes or unexpected terminations, particularly during Discovery operations or connection attempts
- Heap corruption errors or memory access violations in AnyDesk application logs
- Unusual memory consumption patterns in AnyDesk processes prior to crashes
Detection Strategies
- Monitor network traffic for UDP packets targeting AnyDesk services with suspicious payload sizes or malformed Identity image data
- Implement endpoint detection rules to identify AnyDesk process crashes associated with heap corruption or buffer overflow indicators
- Deploy intrusion detection signatures to identify packets containing abnormal image dimension values in AnyDesk protocol communications
- Use application-level monitoring to detect repeated Discovery feature failures or connection establishment anomalies
Monitoring Recommendations
- Enable verbose logging for AnyDesk applications to capture detailed connection and Discovery feature activity
- Implement network segmentation to limit exposure of AnyDesk Discovery traffic to trusted network segments only
- Configure SIEM alerts for patterns of AnyDesk crashes or restarts across multiple endpoints
- Monitor for any unauthorized processes spawned by AnyDesk following crash events
How to Mitigate CVE-2025-27918
Immediate Actions Required
- Update AnyDesk for Windows to version 9.0.5 or later immediately
- Update AnyDesk for macOS to version 9.0.1 or later
- Update AnyDesk for Linux to version 7.0.0 or later
- Update AnyDesk for iOS to version 7.1.2 or later
- Update AnyDesk for Android to version 8.0.0 or later
Patch Information
AnyDesk has released patched versions for all affected platforms. Organizations should consult the AnyDesk Windows Changelog for detailed release notes and download links for the latest secure versions. Enterprise deployments should prioritize this update due to the critical severity and network-based attack vector of this vulnerability.
Workarounds
- Disable the Discovery feature in AnyDesk settings if not required for business operations to reduce the attack surface
- Implement network-level filtering to block unsolicited UDP traffic to AnyDesk ports from untrusted sources
- Restrict AnyDesk usage to controlled network segments with proper firewall rules until patching is complete
- Consider temporary removal of AnyDesk from critical systems until updates can be deployed
# Example: Block unsolicited UDP traffic to AnyDesk default port on Linux
sudo iptables -A INPUT -p udp --dport 7070 -m state --state NEW -j DROP
# Allow only established connections
sudo iptables -A INPUT -p udp --dport 7070 -m state --state ESTABLISHED -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
