AnyDesk, Screen Recording Link Following Denial-of-Service Vulnerability, CVE-2026-15681 (MEDIUM) -DC-Jul2026-979

Listen to this Post

How CVE-2026-15681 Works

CVE-2026-15681 is a denial-of-service vulnerability discovered in AnyDesk, a popular remote desktop software. The flaw resides in how the application handles screen recording files, specifically within its file system operations. The vulnerability is classified under CWE-59: Improper Link Resolution Before File Access (‘Link Following’).
To exploit this vulnerability, an attacker must first obtain the ability to execute low-privileged code on the target system. This means the attacker needs local access, either through a compromised user account or by tricking a user into running malicious code. Once this foothold is established, the attacker can create a special type of symbolic link known as a “junction” on the Windows operating system.
The AnyDesk service, which typically runs with higher privileges, processes screen recording files without properly validating the file paths. When the service attempts to write or access a screen recording file, it follows the malicious junction created by the attacker. Instead of writing to the intended directory, the service is redirected to an arbitrary location on the file system chosen by the attacker.
By leveraging this redirection, the attacker can abuse the service to create files anywhere on the system, including critical system directories. This uncontrolled file creation can lead to resource exhaustion, where the system’s storage is filled with junk files, or it can cause the AnyDesk service to crash or become unresponsive. Repeated exploitation can force administrators to manually restart services, leading to a denial-of-service condition that disrupts remote access capabilities for legitimate users. The vulnerability was discovered by Giuliano Sanfins from SiDi and reported to the Zero Day Initiative (ZDI-CAN-26591).

DailyCVE Form:

Platform: Windows
Version: 9.0.4
Vulnerability : Link Following
Severity: MEDIUM (CVSS 4.7)
date: 2026-07-13

Prediction: 2026-07-27

What Undercode Say: Analytics

The vulnerability stems from a classic lack of input validation, where the application trusts file paths provided by lower-privileged users. From an ATT&CK framework perspective, this vulnerability aligns with local execution vectors (T1068) when combined with privilege escalation techniques. The flaw effectively turns a legitimate file creation operation into a weapon for resource exhaustion (CWE-400).

Vulnerability Analysis Commands:

To check if a system is vulnerable, administrators can verify the AnyDesk version:

anydesk --version
Expected output for vulnerable version: 9.0.4

To monitor for suspicious junction creation, use Sysinternals’ `junction` or PowerShell:

List all junctions in the ProgramData directory
Get-ChildItem -Path "C:\ProgramData\AnyDesk" -Force | Where-Object { $_.LinkType -eq "Junction" }

Exploit

Exploitation requires local low-privileged code execution. An attacker would typically perform the following steps:
1. Create a Malicious Junction: The attacker creates a junction pointing from a directory that AnyDesk expects to use for screen recordings (e.g., C:\ProgramData\AnyDesk\screenrecords) to a system directory (e.g., C:\Windows\System32\drivers\etc).
2. Trigger the Screen Recording: The attacker forces the AnyDesk service to initiate a screen recording session or triggers a file write operation to the junctioned directory.
3. Arbitrary File Creation: The AnyDesk service, running with elevated privileges, follows the junction and writes files to the target system directory, potentially causing a denial of service by filling the disk or corrupting system files.

Proof-of-Concept (Conceptual) Bash/PowerShell Commands:

Step 1: Create a junction (requires administrative privileges or SeCreateSymbolicLinkPrivilege)
Note: In a real attack, the attacker would have to obtain this privilege or find a workaround.
New-Item -ItemType Junction -Path "C:\ProgramData\AnyDesk\recordings" -Target "C:\Windows\Temp"
Step 2: Trigger the service to write to the junctioned path
This could be done by initiating a screen recording via the AnyDesk API or UI.

Protection

  • Apply Patches: The primary mitigation is to apply the vendor-supplied patch as soon as it is released. A patch is expected around July 27, 2026.
  • Restrict User Privileges: Limit the ability of standard users to create junctions and symbolic links. This can be managed through Group Policy (Security Settings > Local Policies > User Rights Assignment > Create symbolic links).
  • Monitor File System: Implement monitoring for suspicious file creation patterns, particularly in directories used for screen recording operations. Use tools like Sysmon to log junction creation events (Event ID 1 with `SymbolicLink` target).
  • Least Privilege: Run the AnyDesk service with the least privileges necessary, although this may be limited by the application’s design.

Impact

  • Denial of Service (DoS): The primary impact is the disruption of the AnyDesk service, rendering remote desktop functionality unavailable. The service may crash repeatedly or become unresponsive.
  • Business Disruption: Organizations relying on AnyDesk for remote support or access could face significant operational downtime, especially if the service is critical for IT support or remote work.
  • Resource Exhaustion: The attacker could fill the system’s disk space with arbitrary files, potentially affecting other applications and the overall stability of the operating system.
  • No Data Breach: The vulnerability does not directly allow for data theft or privilege escalation, as it is limited to a denial-of-service condition. However, it could be used as a distraction or in conjunction with other attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top