Security researchers have disclosed a zero-day flaw in AnyDesk's remote desktop software, tracked as CVE-2026-15682, that lets local attackers crash affected installations by abusing a core diagnostic feature. The bug was published by the Zero Day Initiative on 13 July 2026, and while its CVSS 4.7 severity is only medium, it is the latest security incident to hit the widely deployed remote-support tool.
Junction Abuse In Send Support Information
The vulnerability lives in AnyDesk's Send Support Information feature, designed to help users share diagnostic data with support teams. By creating a filesystem junction - a reparse point that redirects file operations - an attacker can trick the AnyDesk service into writing arbitrary files outside their intended location. That file-write abuse ultimately drives the application or system into a denial-of-service state, disrupting operations for legitimate users.
Local Access Required, But Still Dangerous
Zero Day Initiative advisory ZDI-26-401 notes the flaw requires an attacker to first execute low-privileged code on the target machine, so it is not directly remotely exploitable. In shared, multi-user or already partially compromised environments, however, low-privilege footholds are common - which is why denial-of-service flaws in remote-access tools are especially disruptive to IT help desks and managed service providers relying on AnyDesk for around-the-clock remote support.
Pattern Of Reparse-Point Bugs
The disclosure follows a recurring pattern: AnyDesk has previously dealt with vulnerabilities tied to symbolic links and reparse points, including a 2024 wallpaper-handling flaw that enabled privilege escalation. The vendor's 2024 production-system breach also forced widespread certificate revocations and updates, so security teams are treating fresh AnyDesk disclosures with urgency.
Mitigations Ahead Of A Patch
A vendor-supplied patch is expected by August 2026. Until then, defenders can disable the Send Support Information feature when it is not actively needed, tighten who can execute low-privilege code on hosts running AnyDesk, and monitor for unusual junction or reparse-point creation. The disclosure lands amid a heavy week for cybersecurity: Microsoft's July Patch Tuesday fixed a record 570 flaws including three zero-days, and SonicWall's SMA 1000 SSRF and command-injection zero-days are being exploited in the wild.
Company Context
AnyDesk is a Stuttgart, Germany remote-desktop maker founded in 2014 with roughly 900 million sessions per month and customers in 190 countries. It has raised more than US$77 million from Insight Partners, EQT Ventures and General Atlantic and now employs more than 400 people across 11 international offices.
Reporting based on coverage from Cyber Security News, Zero Day Initiative, DailyCVE and NIST NVD.
