Description
An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the "Control my device" permission can manipulate remote AnyDesk settings and create a password for the Full Access profile without needing confirmation from the counterparty. Consequently, the attacker can later connect without this counterparty confirmation.
References
anydesk.com/en/changelog/windows
dspace.cvut.cz/...-Krejsa-Vojtech-DP_Krejsa_Vojtech_2025.pdf
