Skip to main content

RustDesk Server CVE-2026-30790

HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-03-05 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
8.2
CVSS 4.0 · Vendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
Share

Severity by source

Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable auth endpoint with no privileges or UI, but successful brute force depends on password entropy and sustained guessing (AC:H); only credential confidentiality is impacted.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe).

CVSS VectorVendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 22, 2026 - 10:47 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 10:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 10:37 vuln.today
cvss_changed
Severity Changed
Jun 22, 2026 - 10:37 NVD
CRITICAL HIGH
CVSS changed
Jun 22, 2026 - 10:37 NVD
9.3 (CRITICAL) 8.2 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 16:16 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.

This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.

AnalysisAI

Password brute-forcing weakness in RustDesk Server Pro through 1.7.5 and RustDesk Server (OSS) through 1.1.15 allows remote attackers to attack the peer authentication and API login modules without triggering rate limiting, while the SHA256(SHA256(pwd+salt)+challenge) construction provides insufficient computational cost to resist offline guessing. The flaw combines CWE-307 (missing throttling of authentication attempts) with weak password hashing on Windows, macOS, and Linux deployments, and no public exploit has been identified at time of analysis.

Technical ContextAI

RustDesk is an open-source remote desktop relay/rendezvous server written in Rust; the affected logic lives in src/server/connection.rs, specifically the salt/challenge generation and the SHA256(SHA256(pwd+salt)+challenge) verification routine. CWE-307 (Improper Restriction of Excessive Authentication Attempts) means the server does not lock out, delay, or otherwise throttle repeated failed logins, so an attacker can submit unlimited authentication attempts. The chosen hashing primitive - a double SHA256 with a salt and per-session challenge - is fast and GPU-friendly, providing no key-stretching (unlike bcrypt/scrypt/argon2), so captured handshakes or unrestricted online attempts can be cracked or guessed cheaply. Both CPEs cpe:2.3:a:rustdesk:rustdesk_server (pro and oss editions) are covered.

RemediationAI

No vendor-released patch identified at time of analysis for either edition - the disclosure references only the researcher write-up at https://www.vulsec.org/ and the Google Doc advisory, with no fixed version published past RustDesk Server Pro 1.7.5 or RustDesk Server OSS 1.1.15; monitor https://github.com/rustdesk for tagged releases addressing CWE-307 and the hashing weakness. Until a fix lands, restrict exposure of the relay/API ports (default hbbs 21115-21119 and hbbr) to a VPN or allowlisted source IPs so the authentication surface is not internet-reachable, enforce long, high-entropy peer/API passwords (16+ random characters) to make the weak hash and unthrottled attempts computationally impractical, and front the API login with a reverse proxy that enforces per-IP rate limiting and account lockout (e.g., nginx limit_req or fail2ban on auth-failure log lines). These controls reduce blast radius but break unsolicited inbound peer connections from arbitrary internet clients, which is an intentional trade-off for hardened deployments.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-30790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy