This advisory report outlines critical technical details and mitigation strategies relating to the AnyDesk privilege escalation vulnerability identified as CVE-2024-12754. This report focuses on high-risk environments and geographical areas where advanced persistent threat actor (APT) groups operate, targeting sectors such as finance, government, healthcare and technology primarily in North America, Europe and parts of Asia.

Executive Summary

CVE-2024-12754 is a critical local privilege escalation vulnerability in the AnyDesk remote administration software. The vulnerability permits an adversary operating with low privileges to escalate their access to that of the NT AUTHORITY\SYSTEM account, potentially seizing complete control of critical system files and processes. By exploiting the manner in which the AnyDesk service handles file operations in the C:\Windows\Temp directory, attackers can overwrite pre-existing system files and introduce malicious code. Although there is no current evidence of active exploitation or attribution to a specific APT group, a detailed Proof-of-Concept (PoC) has been published, increasing the urgency for prompt remediation. For additional technical details, please refer to Security Online https://securityonline.info/anydesk-exploit-alert-cve-2024-12754-enables-privilege-escalation-poc-available/ as well as other security research publications available online.

Technical Information

The underlying flaw in AnyDesk results from an insecure handling of user-specified background image files. The vulnerability manifests when the AnyDesk service performs a file copy operation from the user’s chosen background image directory to the system’s temporary directory, specifically C:\Windows\Temp. During this process, the system retains the original filename, and the operation is executed using the high-level privileges of NT AUTHORITY\SYSTEM. An adversary can take advantage of this behavior by pre-creating a file in the temporary directory with the identical name as the one that is intended to be copied. When the file copy operation takes place, the adversary’s crafted file is inadvertently overwritten, thereby granting them the opportunity to execute arbitrary code with system-level privileges.

The technical implications of this vulnerability are severe. Any remote administrator system that trusts the identity and integrity of files placed in the temporary directory is at risk. The vulnerability circumvents traditional security barriers by leveraging internal system processes, and because the operation is performed with elevated privileges, it bypasses many of the controls normally in place to prevent unauthorized modifications to system directories. A comprehensive understanding of NT file permission models, particularly in Windows environments, is required to fully grasp the impact of the flaw. The vulnerability is inherently related to file system redirection and temporal file handling, aspects that are typically overlooked in standard software deployments, rendering many systems unexpectedly vulnerable.

Examination of the file handling process shows that the AnyDesk service first retrieves the background image provided by the user before placing it in a transient storage location. When the service copies the file to the C:\Windows\Temp directory, it does not securely validate whether a file with the same name already exists. An attacker can manipulate this step by ensuring that a malicious file advertises the same name as a legitimate file meant to be copied. This results in unintended permission elevation, particularly since the copied file inherits the system-level privileges. A detailed technical assessment reveals that this file operation does not implement the safeguards typically associated with temporary file creation, such as using unique file identifiers or sandboxing file operations to avoid conflicts and prevent file overwriting.

Beyond the file operation flaw, the way in which the AnyDesk service interacts with the Windows operating system further compounds the risk. By running under the NT AUTHORITY\SYSTEM account, a compromised service opens up potential avenues for further attacks, including escalation of privileges within network environments and lateral movement through connected systems. The vulnerability thereby serves as an entry point for adversaries to implant persistent backdoors, extract sensitive data, or perform unauthorized operations. It is imperative for IT administrators to appreciate both the technical and operational risks stemming from such vulnerability in remote maintenance tools.

From a network defense perspective, vulnerability scanning and file integrity monitoring are critical in identifying early signs of exploitation. Detailed system logs and real-time alerts correlate file creation events with unusual privilege escalation, serving as vital indicators of a possible breach. Even though there is currently no evidence of the exploit being actively weaponized, research shows that adversaries have historically exploited similar vulnerabilities in remote administration software to gain permanent footholds in compromised networks. Therefore, implementation of host-based intrusion detection systems (HIDS), along with comprehensive patch management protocols, remains essential to fortify systems against potential attacks.

In vulnerable installations, the lack of a robust file management framework in the AnyDesk service coupled with the absence of an escalation-prevention mechanism can render the targeted systems open to a variety of attack vectors. Analysis reveals that the vulnerability principally impacts local file operations and is particularly dangerous in environments lacking rigorous user access controls. Given that the system’s temporary directory is a common target for malicious actors, an attacker armed with locally exploited privileges can potentially interfere with other running processes or tamper with files integral to the operating system’s functionality. Such a scenario underlines the necessity of real-time system auditing and comprehensive configuration reviews.

In addition to local exploitation, the vulnerability has implications for enterprise-wide security posture. The emergence of this weakness in a widely deployed remote administration tool serves as a reminder that even trusted applications possessed with remote connectivity capabilities might harbor exploitable faults. The inherent design flaw in AnyDesk introduces both immediate and long-term risks, particularly in scenarios where remote support mechanisms are heavily relied upon. Through a combination of effective configuration management and layered security testing protocols, organizations can mitigate the risks that arise from an inconsistent implementation of file-handling routines.

Lastly, technical research into the vulnerability confirms that the misuse of standard file operation functions without adequate security checks is a recurring issue in many software architectures. In the case of AnyDesk, the oversight is compounded by the inclusion of user-managed inputs that dictate essential file operations. This underscores the need for more rigorous code audits and the integration of secure coding practices in the development lifecycle. As a best practice, system administrators are advised to execute regular vulnerability assessments and to enforce the principle of least privilege in both application and network configurations.

The availability of a publicly accessible Proof-of-Concept (PoC) reinforces the necessity of swift patching and system updates. While the PoC serves to illustrate the exploit’s feasibility rather than evidence of an active compromise, it clearly demonstrates a viable path for attackers to forcibly escalate privileges. The ongoing dissemination of such PoCs within the cybersecurity community heightens the pressure on software vendors and system operators to review and enhance their security posture immediately.

Exploitation in the Wild

To date, there are no verified instances of this vulnerability being exploited in a widespread manner within active network environments. The Proof-of-Concept, available on GitHub and discussed on Security Online https://securityonline.info/anydesk-exploit-alert-cve-2024-12754-enables-privilege-escalation-poc-available/, clearly demonstrates the theoretical risk and outlines the technical methodology by which the vulnerability can be weaponized. Organizations should note that while specific indicators of compromise (IOCs) associated with this exploit have not been reported in active threat intelligence feeds, IT teams should remain vigilant for any anomalous behaviors such as unexpected file creations in the C:\Windows\Temp directory, sudden changes in file ownership, or unauthorized modifications to system-critical files like SAM, SYSTEM and SECURITY. Additional forensic indicators might include discrepancies in system logs that record file copy operations performed under NT AUTHORITY\SYSTEM privileges. This section serves to recommend that although the vulnerability is not confirmed to have been actively exploited, its inherent risks require proactive defense measures.

APT Groups using this vulnerability

Presently, no specific APT groups have been conclusively linked to leveraging CVE-2024-12754 in targeted attacks. However, it is important to acknowledge that groups operating in sectors such as financial services, government agencies and critical infrastructure have historically exploited similar privilege escalation vulnerabilities in remote access tools. In regions such as Europe, North America, and parts of Asia, high-caliber threat actors remain alert to vulnerabilities in ubiquitous administrative software. While we have not observed any dedicated campaigns involving this exploit, the technical merits of the vulnerability make it a potentially attractive tool for actors seeking to breach secured networks or elevate privileges in tightly controlled IT environments.

Affected Product Versions

The scope of this vulnerability is confined primarily to earlier versions of AnyDesk prior to the patch release incorporated in version v9.0.1. Systems running versions that predate v9.0.1 remain at risk from this privilege escalation vulnerability. Adversaries may capitalize on deployments where robust patch management protocols are not in place. It is essential for all organizations using AnyDesk to conduct a thorough audit of deployed versions. In environments where remote administration tools are critical to business operations, even minor version discrepancies can result in significant security gaps. The vulnerability’s specific targeting of files in the system’s temporary directory means that even deployments in otherwise secured environments may be inadvertently compromised if timely updates are not implemented. Customers are urged to verify that all installations of AnyDesk have been updated to version v9.0.1 or later, thereby ensuring protection against this known exploitation pathway.

Workaround and Mitigation

The most effective remediation for CVE-2024-12754 is the immediate update of AnyDesk to version v9.0.1. Organizations must prioritize the application of this patch to ensure that the file copy mechanisms are secured and that the risk of unauthorized privilege escalation is minimized. In addition to patching, several supplementary measures can mitigate exposure. IT administrators should enforce the principle of least privilege to restrict user access rights, effectively limiting the potential for an adversary to execute a premeditated file overwrite attack. Systems monitoring solutions should be configured to audit file permissions and trigger alerts on suspicious changes within the temporary directory. Conducting routine security audits and deploying host-based intrusion detection systems can further reduce the risk of potential exploitation. Moreover, organizations are encouraged to review and reinforce their network’s overall remote access policies. Instructions emphasizing the careful management of remote administration tools serve as an additional defensive measure against exploitation attempts.

References

Security Online provides an in-depth analysis of this vulnerability at https://securityonline.info/anydesk-exploit-alert-cve-2024-12754-enables-privilege-escalation-poc-available/ and additional cybersecurity research papers and resources remain available across various threat intelligence platforms. Other related research publications and ongoing vulnerability assessments can be cross-referenced with publicly available cybersecurity databases and technical forums. These resources offer further insights into the mechanics of privilege escalation vulnerabilities and best practices for remediation and defense. Prospective readers are advised to consult the latest technical advisories from both independent cybersecurity researchers and the vendor’s official security advisories for updated details concerning patch releases and mitigative strategies.

Rescana is here for you

At Rescana, we understand that managing third party risk through our platform is crucial in today's complex cybersecurity environment. Our TPRM platform continuously helps our customers by providing comprehensive risk assessments, monitoring vendor security postures and ensuring that remedial actions are effectively implemented to secure your IT ecosystem. We remain committed to supporting our customers with expert guidance on best practices, detailed technical insights and actionable recommendations regarding remote administration tool vulnerabilities, as well as many other advanced security challenges. For any questions regarding this report or for additional support with your cybersecurity risk management strategies, please feel free to reach out to us at ops at rescana.com.