RustDesk Client
CVE-2026-30792
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable sync endpoint (AV:N) but exploitation requires an MitM foothold (AC:H); no client auth or interaction (PR:N/UI:N); attacker rewrites config so integrity is high, with limited confidentiality and availability impact.
Primary rating from Vendor (2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe).
CVSS VectorVendor: 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Strategy sync, HTTP API client, config options engine modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files src/hbbs_http/sync.Rs, hbb_common/src/config.Rs and program routines Strategy merge loop in sync.Rs, Config::set_options().
This issue affects RustDesk Client: through 1.4.5.
AnalysisAI
Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).
Technical ContextAI
RustDesk is a Rust-based open-source remote desktop suite whose clients periodically synchronize policy and configuration with a server-side strategy via an HTTP API. The vulnerable code paths are src/hbbs_http/sync.rs (the Strategy merge loop that pulls server-pushed options into the local config) and hbb_common/src/config.rs (Config::set_options() which applies the merged values). CWE-657 (Violation of Secure Design Principles) reflects that the client merges and applies remote configuration without enforcing channel integrity or message authenticity, so an attacker controlling the network path can substitute or modify the JSON/API payloads that drive client behavior. The affected CPE is cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*, but the description explicitly covers all platform builds.
RemediationAI
No vendor-released patch identified at time of analysis; the description states the issue affects RustDesk Client through 1.4.5, so monitor the project for a release above 1.4.5 and upgrade as soon as one is published (track the vendor advisory at https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub and the VulDB record at https://vuldb.com/?id.349201). Until a fix ships, restrict the network path between clients and the self-hosted hbbs/hbbr server to trusted segments and front the sync HTTP API with a strict TLS terminator that you control end-to-end, refusing any intermediary that can rewrite traffic (side effect: clients on hostile networks such as captive portals or roaming users behind TLS-inspecting proxies may be unable to connect). Operators of self-hosted deployments should also lock down the advanced-settings options surface documented at https://rustdesk.com/docs/en/self-host/client-configuration/advanced-settings/ so that any tampered values land in a known-safe baseline, and consider pinning clients to a private CA to detect MitM. Avoid using public/community RustDesk relays for sensitive deployments until a patched build is confirmed.
A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Au
Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-acce
Authorization scope bypass in RustDesk lets a peer holding only a FileTransfer authorization inject keyboard and mouse i
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remot
RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive
RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network hea
Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote atta
Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthen
Same weakness CWE-657 – Violation of Secure Design Principles
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today