OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • anydesk
  • lpe
  • com
  • windows
  • exploitarium

news

AnyDesk 9.7.6 Printer Pipe COM Impersonation LPE

AnyDesk printer worker unmarshals attacker COM bytes on the adprinterpipe named pipe with RPC_C_IMP_LEVEL_IMPERSONATE — SYSTEM when installed as service.

Summary

AnyDesk printer worker unmarshals attacker COM bytes on the adprinterpipe named pipe with RPC_C_IMP_LEVEL_IMPERSONATE — SYSTEM when installed as service. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetAnyDesk for Windows 9.7.6
PrimitiveNamed pipe + CoUnmarshalInterface(IStream::Read) impersonation
ImpactLow-privileged local user → AnyDesk service identity (default LocalSystem on service install).

Attack Chain

Connect adprinterpipe → send marshaled IStream → callback impersonates service during Read

Mitigation

Restrict pipe ACL; validate COM caller; run service under least-privilege account.

Related Signals

Sources

→ Source