HP Anyware: Linux client enables rights expansion
Attackers can extend their rights to the system in HP's Anyware client for Linux. A software update is available that corrects the error.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
HP has discovered a security vulnerability in the Linux client of HP Anyware. It allows the extension of rights. Updates are available to close the security gap.
HP warns of the vulnerability in a security notice. The company is holding back on details. "A potential vulnerability has been discovered in HP Anyware Agent for Linux that could allow authentication bypass and result in privilege escalation," is how HP describes the vulnerability (CVE-2025-1003, CVSS 8.5, risk"high"). This sounds much more harmless than the risk classification according to CVSS – which is much closer to the "critical" level (>=CVSS 9.0) than "medium" (CVSS <7.0).
Information in short supply
HP does not discuss exactly what the vulnerability looks like and how attackers can abuse it. However, HP recommends a temporary countermeasure if an immediate update is not yet possible: In the configuration, IT managers should disable the "PC over IP" function, a "secure remote display protocol", by setting "pcoip.session_retry_timeout" to "0".
Videos by heise
HP's developers have patched the vulnerability in version 24.10.2 and 24.07.5 of HP Anyware Agent for Linux. The security advisory links to the different installation packages. Admins should download and apply the update quickly due to the risk rating.
HP Anyware is a remote control software that enables teams to work remotely. It allows access to desktops or applications from any location.
Last week, it became known that the remote control software Teamviewer is also affected by a security vulnerability. It also allows attackers to extend their rights in the system. Teamviewer had also closed the security gaps with updates.
(dmk)
