AnyDesk CVE-2026-15682 Zero-Day Lets Local Attackers Crash Remote Desktop Installs

A zero-day flaw in AnyDesk's Send Support Information feature tracked as CVE-2026-15682 lets local attackers write arbitrary files and crash the remote desktop service.

AnyDesk CVE-2026-15682 Zero-Day Lets Local Attackers Crash Remote Desktop Installs

Security researchers have disclosed a zero-day flaw in AnyDesk's remote desktop software, tracked as CVE-2026-15682, that lets local attackers crash affected installations by abusing a core diagnostic feature. The bug was published by the Zero Day Initiative on 13 July 2026, and while its CVSS 4.7 severity is only medium, it is the latest security incident to hit the widely deployed remote-support tool.

Junction Abuse In Send Support Information

The vulnerability lives in AnyDesk's Send Support Information feature, designed to help users share diagnostic data with support teams. By creating a filesystem junction - a reparse point that redirects file operations - an attacker can trick the AnyDesk service into writing arbitrary files outside their intended location. That file-write abuse ultimately drives the application or system into a denial-of-service state, disrupting operations for legitimate users.

Cybersecurity vulnerability code on screen

Local Access Required, But Still Dangerous

Zero Day Initiative advisory ZDI-26-401 notes the flaw requires an attacker to first execute low-privileged code on the target machine, so it is not directly remotely exploitable. In shared, multi-user or already partially compromised environments, however, low-privilege footholds are common - which is why denial-of-service flaws in remote-access tools are especially disruptive to IT help desks and managed service providers relying on AnyDesk for around-the-clock remote support.

Pattern Of Reparse-Point Bugs

The disclosure follows a recurring pattern: AnyDesk has previously dealt with vulnerabilities tied to symbolic links and reparse points, including a 2024 wallpaper-handling flaw that enabled privilege escalation. The vendor's 2024 production-system breach also forced widespread certificate revocations and updates, so security teams are treating fresh AnyDesk disclosures with urgency.

Mitigations Ahead Of A Patch

A vendor-supplied patch is expected by August 2026. Until then, defenders can disable the Send Support Information feature when it is not actively needed, tighten who can execute low-privilege code on hosts running AnyDesk, and monitor for unusual junction or reparse-point creation. The disclosure lands amid a heavy week for cybersecurity: Microsoft's July Patch Tuesday fixed a record 570 flaws including three zero-days, and SonicWall's SMA 1000 SSRF and command-injection zero-days are being exploited in the wild.

Company Context

AnyDesk is a Stuttgart, Germany remote-desktop maker founded in 2014 with roughly 900 million sessions per month and customers in 190 countries. It has raised more than US$77 million from Insight Partners, EQT Ventures and General Atlantic and now employs more than 400 people across 11 international offices.

Reporting based on coverage from Cyber Security News, Zero Day Initiative, DailyCVE and NIST NVD.

Category: Cyber Security

Tags: Cybersecurity Zero-Day CVE

Related Articles