CVE-2021-40854: Local privilege escalation

Problem type

Local privilege escalation

Description

AnyDesk for Windows allows for a local escalation of privileges through the UI. When a connection has been accepted, the user can click the "Open Chat Log" link in the connection window. This will open Notepad with escalated privileges. The user can then use the "File -> Open..." dialog, to start any application as administrator.

Impact

A user with restricted privileges can use AnyDesk to obtain administrator privileges.

Note: the vulnerability can not be exploited remotely because AnyDesk blocks remote interaction with the chat window.

Affected products

The vulnerability affects AnyDesk for Windows from versions 3.1.0 to 6.3.2 (excluding 6.2.6).

Resolution

We have fixed the vulnerability in AnyDesk for Windows version 6.3.3. We have also released a fixed version 6.2.6.