CVE-2021-44425: 
NixOS vulnerability analysis and mitigation

An issue was discovered in AnyDesk before versions 6.2.6 and 6.3.x before 6.3.3. The vulnerability (CVE-2021-44425) involves an unnecessarily open listening port on a machine in the LAN of an attacker, opened by the AnyDesk Windows client when using the tunneling feature (NVD).

The vulnerability has a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue specifically relates to the AnyDesk tunneling service where the software on the connecting client listens for connections to the tunnel on all interfaces (Argus Advisory).

When exploited, this vulnerability allows an attacker unauthorized access to the local machine's AnyDesk tunneling protocol stack and any remote destination machine software that is listening to the AnyDesk tunneled port. This is particularly concerning when users are connected to non-secure networks, as attackers on the same network could potentially access corporate remote servers through the exposed tunneled port (Argus Advisory).

The vulnerability has been fixed in AnyDesk version 6.2.6 and version 6.3.3. Users should upgrade to these or later versions to mitigate the risk (NVD).

The vulnerability was discovered and reported to AnyDesk in August 2021. AnyDesk verified the validity of the issue on September 22, 2021, and confirmed the fix was implemented on November 9, 2021 (Argus Advisory).