CVE-2016-20094

HIGH

AnyDesk 2.5.0 Unquoted Service Path Elevation of Privilege

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20094. PoCs published by Tulpa.

AI-analyzed exploit summary This is a technical writeup describing an unquoted service path vulnerability in AnyDesk 2.5.0, which could allow local privilege escalation (LPE) due to the service path not being enclosed in quotes. The author provides details on the service configuration and the potential exploit scenario.

Description

AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Attackers can insert malicious executables in the system root path that execute with elevated privileges during application startup or system reboot.

Exploits (1)

exploitdb WRITEUP

by Tulpa · textlocalwindows

https://www.exploit-db.com/exploits/40410

View Code ZIP pw:eip

This is a technical writeup describing an unquoted service path vulnerability in AnyDesk 2.5.0, which could allow local privilege escalation (LPE) due to the service path not being enclosed in quotes. The author provides details on the service configuration and the potential exploit scenario.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: AnyDesk 2.5.0

Auth required

Prerequisites: Local user access · Ability to place executable in system root path

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Jun 19, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-40410

https://www.exploit-db.com/exploits/40410

Product product

Official Product Homepage

http://anydesk.com

Product product

Product Reference

http://anydesk.com/download

Third Party Advisory third-party-advisory

VulnCheck Advisory: AnyDesk 2.5.0 Unquoted Service Path Elevation of Privilege

https://www.vulncheck.com/advisories/anydesk-unquoted-service-path-elevation-of-privilege

Scores

CVSS v3 7.8

EPSS 0.0018

EPSS Percentile 7.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-428

Status published

Products (2)

anydesk/anydesk 2.5.0

Anydesk/AnyDesk 2.5.0

Published Jun 19, 2026

Tracked Since Jun 19, 2026