AnyDesk Support Information Link Following Denial-of-Service Vulnerability (CVE-2026-15682) – MEDIUM -DC-Jul2026-971

Listen to this Post

CVE-2026-15682 is a denial-of-service vulnerability affecting AnyDesk, a popular remote desktop software. The flaw resides within the “Send Support Information” feature, a component designed to package and transmit diagnostic data for troubleshooting. The vulnerability stems from improper link resolution before file access, categorized under CWE-59. When the Send Support Information feature processes user-provided paths, it fails to perform adequate input validation or sanitization checks on the supplied file paths. This oversight allows a local attacker, who has already obtained the ability to execute low-privileged code on the target system, to exploit the service’s file creation operations.
The exploitation technique involves creating a junction—a type of symbolic link in the Windows filesystem that redirects file operations to an alternate location. By crafting a malicious junction and directing the Send Support Information feature to use it, an attacker can abuse the service to create arbitrary files in unintended system directories. This redirection of file operations can lead to system instability, service crashes, or complete unresponsiveness of the AnyDesk service. The vulnerability does not require user interaction and has a local attack vector, but it does require high attack complexity and low privileges, making it a medium-severity issue with a CVSS base score of 4.7. The attack can be leveraged to cause a denial-of-service condition, effectively preventing legitimate users from accessing remote desktop functionality. The vulnerability was discovered by Giuliano Sanfins from SiDi (0x_alibabas) and reported to the vendor on March 30, 2025, under the ZDI-CAN-26645 identifier. The CVE was published on July 13, 2026, and the vendor is expected to release a patch to address the path traversal and link-following flaws by implementing strict input validation for all file path operations within the application.

DailyCVE Form:

Platform: AnyDesk
Version: 9.0.4
Vulnerability: Link Following DoS
Severity: MEDIUM (CVSS 4.7)
date: 2026-07-13

Prediction: 2026-08-03

What Undercode Say:

Analytics indicate that this vulnerability is particularly concerning for enterprise environments where remote desktop services are heavily utilized. The attack requires local code execution, which means it is often paired with other initial access vectors. Monitoring for unusual junction creation events and file write operations in sensitive system directories can help detect exploitation attempts. The following bash commands can be used to audit for suspicious junctions and monitor file creation patterns:

List all junctions in the system
dir /AL /S C:\ 2>nul | find "JUNCTION"
Monitor for file creation events in real-time using PowerShell
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object { $<em>.Message -match "CREATE" }
Check for any unexpected .tmp or .log files in the AnyDesk directory
Get-ChildItem -Path "C:\Program Files (x86)\AnyDesk" -Recurse -Include .tmp,.log | Where-Object { $</em>.LastWriteTime -gt (Get-Date).AddDays(-1) }

Exploit:

To exploit this vulnerability, an attacker must first establish low-privileged code execution on the target system. The attacker then creates a junction pointing to a critical system directory, such as C:\Windows\System32\drivers\etc, and uses the Send Support Information feature to trigger file creation within that junction. This can overwrite or corrupt system files, leading to a denial-of-service condition. A basic proof-of-concept involves using the `mklink` command to create a junction and then invoking the vulnerable feature through the AnyDesk GUI or API. The exploit does not require elevated privileges but relies on the service’s ability to write files to the resolved junction target.

Protection:

  • Apply the vendor-supplied patch as soon as it becomes available (expected by August 2026).
  • Restrict local user permissions to minimize the ability to execute low-privileged code.
  • Disable the “Send Support Information” feature when not actively needed.
  • Implement application whitelisting to prevent unauthorized execution of AnyDesk or related components.
  • Use endpoint detection and response (EDR) solutions to monitor for unusual junction creation and file write patterns.

Impact:

Successful exploitation results in a denial-of-service condition, where the AnyDesk service may crash or become unresponsive. This can disrupt remote access capabilities for legitimate users, potentially affecting business operations in enterprises that rely heavily on remote desktop services. In severe cases, the attacker could cause system instability or corruption by writing arbitrary files to sensitive locations, potentially leading to further privilege escalation or persistent access. The vulnerability has a CVSS base score of 4.7 (Medium) with a vector of AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating that while the impact is limited to availability, the attack complexity is high and local access is required.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top