CVE-2019-25261 in AnyDesk
Summary
by MITRE • 02/03/2026
AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/03/2026
The vulnerability identified as CVE-2019-25261 affects AnyDesk version 5.4.0 on Windows systems and represents a critical service path misconfiguration that directly impacts system security posture. This flaw exists within the Windows service configuration where the service binary path is not properly quoted, creating an exploitable condition that allows local attackers to execute arbitrary code with elevated privileges. The vulnerability stems from improper service installation practices where the executable path contains spaces but lacks proper quotation marks, enabling path traversal attacks. According to the Common Weakness Enumeration framework, this vulnerability maps to CWE-428 which specifically addresses the issue of unquoted service paths, a well-documented security weakness in Windows service configurations that has been consistently reported across multiple software vendors and security assessments.
The technical implementation of this vulnerability allows attackers to place malicious executables in directories that fall within the service path resolution process without requiring explicit path quotation. When Windows attempts to execute the service binary, it follows a specific search order that prioritizes directories in the PATH environment variable, potentially leading to execution of attacker-controlled code from unintended locations. The service path typically contains spaces and multiple directory levels, which when unquoted, create opportunities for attackers to position malicious binaries in parent directories or sibling directories that Windows will search during execution. This misconfiguration enables attackers to achieve privilege escalation from standard user level to SYSTEM level privileges, as Windows services typically run with elevated permissions. The attack vector relies on the principle of least privilege violation and demonstrates how seemingly minor configuration errors can create significant security implications.
The operational impact of CVE-2019-25261 extends beyond immediate privilege escalation capabilities to encompass broader system compromise potential. Local attackers who can interact with the system can leverage this vulnerability to establish persistent access, deploy additional malware, or escalate their privileges further within the compromised environment. The vulnerability affects systems where AnyDesk service is installed and running with elevated privileges, making it particularly dangerous in enterprise environments where multiple users may have access to systems with this software. Security assessments have shown that this vulnerability can be exploited in conjunction with other local privilege escalation techniques, potentially allowing attackers to bypass additional security controls. The attack requires only local system access and knowledge of the specific service path configuration, making it particularly concerning as it can be exploited by adversaries with minimal initial access. Organizations using AnyDesk version 5.4.0 or similar vulnerable versions are at risk of unauthorized system compromise, particularly in environments where users have local access to systems.
Mitigation strategies for CVE-2019-25261 focus on correcting the service path configuration and implementing proper service installation practices. The primary remediation involves ensuring that all service binary paths containing spaces are properly quoted during installation, preventing the path resolution behavior that enables exploitation. System administrators should immediately update to AnyDesk versions that address this vulnerability, as the vendor has released patches to correct the service path configuration. Additionally, implementing proper service hardening measures including regular security assessments of installed services, monitoring for unauthorized service modifications, and maintaining updated security baselines can help prevent exploitation. The mitigation approach aligns with the ATT&CK framework's privilege escalation techniques, particularly those involving service misconfigurations and path hijacking. Organizations should also implement network monitoring to detect suspicious service execution patterns and maintain regular vulnerability scanning to identify similar misconfigurations across their infrastructure. The vulnerability serves as a reminder of the critical importance of proper service installation practices and the potential consequences of neglecting seemingly minor configuration details in security-critical applications.