{"id":65633,"date":"2025-05-07T14:09:52","date_gmt":"2025-05-07T14:09:52","guid":{"rendered":"https:\/\/www.realvnc.com\/?post_type=blog&p=65633"},"modified":"2026-04-13T10:44:58","modified_gmt":"2026-04-13T09:44:58","slug":"anydesk-security-breach-2","status":"publish","type":"blog","link":"https:\/\/www.realvnc.com\/en\/blog\/anydesk-security-breach-2\/","title":{"rendered":"The AnyDesk Security Breach is a Stark Reminder of the Imperative for Truly Secure Remote Access"},"content":{"rendered":"

The AnyDesk security breach is a reminder of why secure remote access matters. After a routine audit, AnyDesk discovered its production systems had been compromised, which proves that some remote access tools lack security at their core.<\/p>\n

Key Details of the AnyDesk Breach<\/h2>\n

<\/p>\n

An Internal Audit Revealed a Serious Security Incident<\/h3>\n

According to an\u00a0incident response by AnyDesk<\/a>, a security audit found that some of the company\u2019s systems had been compromised. While the incident wasn’t related to ransomware, attackers used the breach to gain unauthorized access to sensitive information on AnyDesk’s systems.<\/p>\n

AnyDesk has downplayed the incident, claiming that the situation was under control. However, users were urged to reset their passwords if they had installed AnyDesk on their systems and used the same credentials elsewhere. The timing of maintenance in the days before the public announcement, as well as the late Friday afternoon press release from AnyDesk, indicates that the breach occurred several days before they publicly acknowledged it.<\/p>\n

Bad Actors Stole Source Code and Signing Certificates<\/h3>\n

BleepingComputer<\/a> discovered that the attackers stole source code and private code signing keys, which were later used to push malware under the guise of trusted software.<\/p>\n

<\/p>\n

Attackers Used the Certificate to Spread Malware<\/h3>\n

With the stolen certificate, cybercriminals signed and distributed more than 500 samples of Agent Tesla<\/a>, which is a well-known remote access trojan (RAT). These files appeared authentic, making it easier for them to slip past defenses and infect devices.<\/p>\n

18,000+ Customer Credentials Leaked<\/h3>\n

Resecurity reported<\/a> that over 18,000 AnyDesk user credentials surfaced on the dark web.<\/p>\n

Organizations must be aware of the risks associated with remote access software and take proactive measures to secure their systems and data. This includes monitoring for any signs of malicious activity and ensuring that all security protocols are up to date.<\/p>\n

In response, AnyDesk issued a new code signing certificate and urged users to change their passwords, especially if they\u2019d used the same credentials elsewhere.<\/p>\n

An Additional Security Flaw Discovered<\/h3>\n

As if the breach itself wasn\u2019t enough, a critical vulnerability identified as CVE-2024-13754<\/a> was disclosed in AnyDesk’s handling of desktop background images. This flaw allows local attackers with low-privileged access to escalate their privileges<\/a> by exploiting the way AnyDesk processes background images during session initialization.<\/p>\n

\"\"<\/p>\n

A proof-of-concept exploit<\/a> was released in early 2025, increasing the urgency for users to update to the latest version to mitigate potential risks.<\/p>\n

Attackers Impersonated CERT-UA in a Social Engineering Campaign<\/h3>\n

In early 2025, attackers began impersonating Ukraine’s Computer Emergency Response Team (CERT-UA) by sending fraudulent AnyDesk connection requests under the guise of conducting security audits. These social engineering attacks aimed to trick users into granting remote access, potentially leading to unauthorized data access or system compromise.<\/p>\n

CERT-UA has clarified that while it may use remote access tools like AnyDesk, such actions are only taken after prior agreement through official communication channels.<\/p>\n

How AnyDesk Responded to the Breach<\/h2>\n

Following the breach, AnyDesk took several measures<\/a> to secure its systems and protect users. The company revoked all security-related certificates, including code-signing certificates, and replaced them with new ones.<\/p>\n

Additionally, AnyDesk invalidated all passwords to its customer web portal and urged users to reset their passwords, especially if the same credentials were used elsewhere. These actions were part of a comprehensive incident response plan to mitigate the breach’s impact.<\/p>\n

Why Should You Take the AnyDesk Attack Seriously?<\/h2>\n

If you\u2019re an AnyDesk user, you should take this news very seriously. And even if you\u2019re using another remote access solution, this needs to make you challenge its security credentials.<\/p>\n

Unfortunately, this is not the first time that something like this has happened. As we said at the time of the GoTo security incident<\/a>, when security is not the first priority, customers are the ones who end up suffering.<\/p>\n

RealVNC’s commitment to security<\/h2>\n

\"\"<\/p>\n

At RealVNC, security isn\u2019t a feature; it\u2019s the foundation. Every connection, every update, every line of code is built around keeping your data protected<\/a>.<\/p>\n

ISO 27001 Certification is More Than Just a Badge<\/h3>\n

We\u2019re ISO 27001 certified<\/a>, which means we follow one of the most rigorous global standards for information security. That includes continuous risk assessments, company-wide controls, independent audits, and regular training for our team.<\/p>\n

In short, it\u2019s proof that we don\u2019t just react to threats. We plan for them. If your remote access provider isn\u2019t certified, ask why.<\/p>\n

Built for Zero Trust<\/h3>\n

Our software is designed to be secure even if you don\u2019t trust us.<\/p>\n