RustDesk Server
CVE-2026-30790
HIGH
Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable auth endpoint with no privileges or UI, but successful brute force depends on password entropy and sustained guessing (AC:H); only credential confidentiality is impacted.
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe).
CVSS VectorVendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.
This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
AnalysisAI
Password brute-forcing weakness in RustDesk Server Pro through 1.7.5 and RustDesk Server (OSS) through 1.1.15 allows remote attackers to attack the peer authentication and API login modules without triggering rate limiting, while the SHA256(SHA256(pwd+salt)+challenge) construction provides insufficient computational cost to resist offline guessing. The flaw combines CWE-307 (missing throttling of authentication attempts) with weak password hashing on Windows, macOS, and Linux deployments, and no public exploit has been identified at time of analysis.
Technical ContextAI
RustDesk is an open-source remote desktop relay/rendezvous server written in Rust; the affected logic lives in src/server/connection.rs, specifically the salt/challenge generation and the SHA256(SHA256(pwd+salt)+challenge) verification routine. CWE-307 (Improper Restriction of Excessive Authentication Attempts) means the server does not lock out, delay, or otherwise throttle repeated failed logins, so an attacker can submit unlimited authentication attempts. The chosen hashing primitive - a double SHA256 with a salt and per-session challenge - is fast and GPU-friendly, providing no key-stretching (unlike bcrypt/scrypt/argon2), so captured handshakes or unrestricted online attempts can be cracked or guessed cheaply. Both CPEs cpe:2.3:a:rustdesk:rustdesk_server (pro and oss editions) are covered.
RemediationAI
No vendor-released patch identified at time of analysis for either edition - the disclosure references only the researcher write-up at https://www.vulsec.org/ and the Google Doc advisory, with no fixed version published past RustDesk Server Pro 1.7.5 or RustDesk Server OSS 1.1.15; monitor https://github.com/rustdesk for tagged releases addressing CWE-307 and the hashing weakness. Until a fix lands, restrict exposure of the relay/API ports (default hbbs 21115-21119 and hbbr) to a VPN or allowlisted source IPs so the authentication surface is not internet-reachable, enforce long, high-entropy peer/API passwords (16+ random characters) to make the weak hash and unthrottled attempts computationally impractical, and front the API login with a reverse proxy that enforces per-IP rate limiting and account lockout (e.g., nginx limit_req or fail2ban on auth-failure log lines). These controls reduce blast radius but break unsolicited inbound peer connections from arbitrary internet clients, which is an intentional trade-off for hardened deployments.
More in Rustdesk Server
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today