cbcvebase.
CVE-2020-13160
published 2020-06-09

CVE-2020-13160: AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.55%
99.6th percentile
AnyDesk before 5.5.3 on Linux and FreeBSD has a format string vulnerability that can be exploited for remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
anydeskanydesk< 5.5.35.5.3

Detection & IOCsextracted from sources · hover to see the quote

port50001/udp
commandformat string payload in hostname field: \x85\xfe%1$*1$x%18x%165$ln
bytes
|3e d1 01| at start of UDP discovery packet
bytes
UDP payload bytes |3e d1| at depth 2
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e d1|"; depth:2; byte_test:4,>,16,11,relative,big; pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R"; reference:url,devel0pment.de/?p=1881; reference:cve,2020-13160; classtype:attempted-user; sid:2030348; rev:2;)
  • The exploit targets UDP port 50001 — monitor for unexpected inbound UDP traffic to this port from external sources, especially with packet sizes consistent with a discovery packet carrying shellcode.
  • Discovery packets begin with magic bytes 0x3e 0xd1 0x01; any UDP packet to port 50001 starting with these bytes and containing format string specifiers (e.g., %n, %x, %ln) in string fields is highly suspicious.
  • The AnyDesk GUI frontend process must be running for exploitation to succeed; the discovery service alone is insufficient. Monitor for AnyDesk GUI process execution on Linux/FreeBSD endpoints.
  • Successful exploitation results in a reverse shell spawned under the AnyDesk GUI user's context; monitor for unexpected outbound TCP connections (e.g., to port 4444) from the AnyDesk process.
  • ·The vulnerability only affects AnyDesk versions before 5.5.3 on Linux and FreeBSD; Windows versions are not affected.
  • ·The ET Snort rule (sid:2030348) is noted as having 'Significant' performance impact due to the complex PCRE; tune deployment accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.