CVE-2025-27919 is a vulnerability identified in the AnyDesk remote desktop software through version 9.0.4. The flaw allows a remote user who has been granted the 'Control my device' permission to manipulate the remote AnyDesk client’s settings without the knowledge or confirmation of the device owner. Specifically, the attacker can create a password for the Full Access profile on the remote system, which normally requires explicit confirmation from the counterparty. By setting this password covertly, the attacker gains the ability to reconnect to the device later without needing any further approval, effectively establishing persistent unauthorized access. The vulnerability is classified under CWE-284 (Improper Access Control), indicating a failure to enforce proper permission checks. The CVSS v3.1 base score is 8.2 (high severity), with the vector indicating that the attack can be performed remotely over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality significantly (C:H), with limited impact on integrity (I:L) and no impact on availability (A:N). No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting the vulnerability is newly disclosed. This issue poses a serious risk because it undermines the trust model of AnyDesk’s remote access permissions, allowing attackers to escalate their access and maintain persistence stealthily.

For European organizations, the impact of this vulnerability is substantial, especially for those relying on AnyDesk for remote administration, teleworking, or customer support. Unauthorized persistent access could lead to exposure of sensitive corporate data, intellectual property theft, and potential lateral movement within networks. Confidentiality is highly impacted as attackers can access data without detection. Although integrity and availability impacts are limited, the ability to maintain undetected access can facilitate further attacks such as data exfiltration or deployment of malware. Critical sectors such as finance, healthcare, government, and industrial control systems that use AnyDesk for remote operations are particularly at risk. The lack of required user interaction or privileges lowers the barrier for exploitation, increasing the threat level. Additionally, the persistence mechanism bypasses normal user consent, complicating incident detection and response.

Organizations should immediately audit AnyDesk usage and permissions, restricting 'Control my device' rights only to trusted users. Until patches are released, consider disabling AnyDesk remote control features or replacing AnyDesk with alternative remote access solutions with stronger access controls. Monitor AnyDesk configuration files and logs for unauthorized changes, especially the creation of Full Access profile passwords. Implement network segmentation to isolate systems that allow remote access and employ strict firewall rules to limit AnyDesk traffic to known, trusted endpoints. Educate users about the risks of granting remote control permissions and enforce multi-factor authentication on AnyDesk accounts where possible. Once patches are available, apply them promptly. Additionally, integrate AnyDesk monitoring into security information and event management (SIEM) systems to detect anomalous remote access patterns. Regularly review remote access policies and conduct penetration testing to verify the effectiveness of controls.