CVE-2025-27916 is a vulnerability identified in AnyDesk remote desktop software affecting Windows versions before 9.0.6 and Android versions before 8.0.0. The issue arises when a connection is established directly via an IP address between two AnyDesk clients. Under these conditions, an attacker can manipulate the data transmitted during the connection setup to spoof the AnyDesk ID, which is a unique identifier used to authenticate and establish remote sessions. This spoofing can lead to unauthorized access or session hijacking by impersonating a legitimate client. The vulnerability is categorized under CWE-290, indicating a failure in proper authentication mechanisms. The CVSS v3.1 base score is 7.5, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, meaning the attack can be performed remotely over the network without any privileges or user interaction, impacting the integrity of the system but not confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The flaw primarily threatens the integrity of remote sessions, potentially allowing attackers to impersonate trusted clients and manipulate remote access sessions, which could lead to unauthorized control or data manipulation within the affected environment.

For European organizations, this vulnerability poses a significant risk to the integrity of remote access sessions, especially in sectors heavily reliant on AnyDesk for remote support, administration, or teleworking. Attackers exploiting this flaw could impersonate legitimate users, potentially gaining unauthorized control over systems or injecting malicious commands. This could lead to unauthorized changes in critical systems, data manipulation, or lateral movement within networks. The absence of required privileges or user interaction lowers the barrier for exploitation, increasing the threat level. Organizations in finance, healthcare, government, and critical infrastructure sectors are particularly vulnerable due to the sensitive nature of their operations and the widespread use of remote access tools. The impact is heightened in environments where IP-based connections are common or where network segmentation is weak, facilitating easier exploitation. Additionally, the lack of confidentiality impact means data exfiltration is less likely directly from this vulnerability, but the integrity compromise could enable further attacks or fraud.

1. Immediately monitor AnyDesk usage within the organization and identify versions in use, prioritizing upgrades to AnyDesk 9.0.6 (Windows) and 8.0.0 (Android) or later once patches are released. 2. Until patches are available, restrict or disable direct IP-based connections in AnyDesk configurations to prevent exploitation of the spoofing vector. 3. Implement network-level controls such as firewall rules or VPN requirements to limit AnyDesk traffic to trusted endpoints only. 4. Employ multi-factor authentication (MFA) on AnyDesk accounts and related systems to reduce the risk of unauthorized access even if spoofing occurs. 5. Conduct regular audits of remote access logs to detect unusual connection patterns or unexpected AnyDesk IDs. 6. Educate IT and security teams about this vulnerability to ensure rapid response and incident handling if suspicious activity is detected. 7. Coordinate with AnyDesk support or vendor channels for official patches and security advisories. 8. Consider alternative remote access solutions with stronger authentication and session integrity guarantees if immediate patching is not feasible.