An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the Control my device permission can manipulate remote AnyDesk settings and create a password for the Full Access profile without needing confirmation from the counterparty. Consequently, the attacker can later connect without this counterparty confirmation.