CVE-2016-20094 in AnyDesk
Summary
by MITRE • 06/19/2026
AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Attackers can insert malicious executables in the system root path that execute with elevated privileges during application startup or system reboot.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/19/2026
The unquoted service path vulnerability in AnyDesk 2.5.0 represents a critical security flaw that enables local privilege escalation through improper service installation configuration. This vulnerability falls under the category of weak service path validation and directly relates to cwe-16 which addresses improper handling of environment variables and path resolution. The flaw occurs when a service is installed without properly quoting the path to its executable, creating opportunities for attackers to place malicious binaries in directories that are searched before the legitimate service location. During system startup or application reboot, the service loader executes the first executable it finds in the search path, potentially executing attacker-controlled code with SYSTEM privileges.
The technical exploitation of this vulnerability leverages the Windows service architecture where services are configured with specific executable paths that are resolved at runtime. When these paths are not properly quoted, the operating system performs a path search that includes parent directories, allowing an attacker to place a malicious executable in a directory that precedes the legitimate service binary in the search order. This creates a race condition where the service startup process executes the attacker's binary instead of the intended AnyDesk executable, effectively providing a backdoor with elevated privileges. The vulnerability is particularly dangerous because it requires no user interaction and can be exploited during normal system operations.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass full system compromise and persistent access. Attackers can establish a foothold that survives system reboots and maintains administrative privileges, enabling them to perform reconnaissance, deploy additional malware, or exfiltrate sensitive data. The vulnerability affects any local user who has the ability to modify system directories, making it particularly concerning in multi-user environments or when users have administrative rights. From an attack perspective, this vulnerability aligns with the attack technique t1068 which describes privilege escalation through service misconfiguration and t1543 which covers creating or modifying system level persistence mechanisms.
Mitigation strategies for this vulnerability should focus on immediate service path correction and system hardening. Organizations should immediately apply vendor patches or updates that properly quote service installation paths to prevent the exploitation of this flaw. System administrators should conduct thorough service path audits to identify other vulnerable services that may be susceptible to similar attacks. The recommended approach involves implementing proper service path quoting during installation and ensuring that service binaries are placed in secure directories with appropriate access controls. Additionally, monitoring for unauthorized changes to service configurations and implementing least privilege principles for service accounts can significantly reduce the attack surface. Regular security assessments and vulnerability scanning should include checks for unquoted service paths to prevent similar issues from emerging in other software components.