Windows - Security - Mitigate AnyDesk Certificate Vulnerability Worklet

What the AnyDesk certificate vulnerability scanner does

This Automox Worklet™ identifies AnyDesk software affected by the February 2024 certificate compromise announced by AnyDesk Software GmbH. The Worklet searches for both the compromised certificate in the Windows Certificate Store and any executables signed with that certificate.

The scan covers multiple certificate store locations (LocalMachine and CurrentUser) and store names (My, Root, TrustedPublisher). When a certificate match occurs, the Worklet outputs full certificate details including issuer, subject, serial number, and thumbprint to the Activity Log.

The Worklet then performs a recursive file system search of the system drive for .exe, .msi, and .ps1 files. Each file's Authenticode signature is validated against the compromised serial number 0DBF152DEAF0B981A8A938D53F769DB8. This process may take considerable time depending on disk size and file count.

Why remediate the AnyDesk certificate compromise

On February 2, 2024, AnyDesk announced that attackers compromised their production systems and obtained code signing certificates. Software signed with these certificates could potentially be malicious or tampered with. AnyDesk revoked all certificates used prior to version 8.0.8.

Organizations running older AnyDesk versions face supply chain attack risk. The compromised certificate means attackers could sign malicious code that appears legitimate. Identifying and removing these binaries reduces your attack surface.

This Worklet does not uninstall AnyDesk. To fully remediate, combine this detection Worklet with the AnyDesk uninstall Worklet and then deploy a clean installation of version 8.0.8 or later. Alternatively, add AnyDesk to your third-party patch policies for automatic updates.

How AnyDesk certificate detection works

1. Evaluation phase: The Worklet searches the Windows Certificate Store for certificates matching serial number 0DBF152DEAF0B981A8A938D53F769DB8. It then performs a recursive search of all .exe, .msi, and .ps1 files on the system drive, using Get-AuthenticodeSignature to check each file's signing certificate. If any compromised executables are found, it triggers remediation with exit code 80.

2. Remediation phase: The Worklet repeats the certificate and file search, outputting all findings to the Activity Log. If the removeExecutable parameter is set to true, it stops the AnyDesk service and process, then force-deletes each compromised file. By default, removeExecutable is false, meaning files are reported but not deleted.

AnyDesk vulnerability scanner requirements

• Windows workstations or servers

• Administrative privileges to access certificate stores and delete files

• Parameter: serialNumberToFind (default: 0DBF152DEAF0B981A8A938D53F769DB8)

• Parameter: removeExecutable (default: false, set to true to delete compromised files)

• Extended runtime expected due to full disk scan

Expected vulnerability scan results

After execution, the Activity Log displays any certificate matches found in the Windows Certificate Store with full details. The log also lists every file path containing executables signed with the compromised certificate.

Compliant endpoints (no compromised files found) exit with status code 0. When removeExecutable is enabled, the Worklet confirms successful deletion of each file. Failed deletions generate error output. Follow up by deploying AnyDesk 8.0.8 or later to restore remote access functionality with valid certificates.

How to validate mitigate anydesk certificate vulnerability changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for mitigate anydesk certificate vulnerability.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Third-Party, Software-Support, Get-AuthenticodeSignature.

4. Validate remediation effects from script operations such as Third-Party, Software-Support, Get-AuthenticodeSignature, then rerun evaluation for compliance.