Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for rustdesk_server by rustdesk
CVE-2026-30796 (GCVE-0-2026-30796)
Vulnerability from nvd – Published: 2026-03-05 15:30 – Updated: 2026-03-17 14:31
VLAI
Title
RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol
Summary
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext).
This issue affects RustDesk Server Pro: through 1.7.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rustdesk.com/docs/en/ | technical-descriptionx_--config documentation |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server-pro | RustDesk Server Pro |
Affected:
0 , ≤ 1.7.5
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30796",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T14:31:35.721954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T14:31:39.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server-pro/releases",
"defaultStatus": "affected",
"modules": [
"Address book sync API"
],
"packageName": "rustdesk-server-pro",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server Pro",
"programFiles": [
"Closed source \u2014 API endpoint handling heartbeat sync"
],
"programRoutines": [
{
"name": "Heartbeat API handler (accepts preset-address-book-password in plaintext)"
}
],
"vendor": "rustdesk-server-pro",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pro server with address book feature in use"
}
],
"value": "Pro server with address book feature in use"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eClosed source \u2014 API endpoint handling heartbeat sync\u003c/tt\u003e and program routines \u003ctt\u003eHeartbeat API handler (accepts preset-address-book-password in plaintext)\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server Pro: through 1.7.5.\u003c/p\u003e"
}
],
"value": "Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source \u2014 API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext).\n\nThis issue affects RustDesk Server Pro: through 1.7.5."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available. Trivially exploitable.\u003cbr\u003e"
}
],
"value": "PoC available. Trivially exploitable."
}
],
"impacts": [
{
"capecId": "CAPEC-157",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-157 Sniffing Attacks"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:51:07.744Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"x_--config documentation"
],
"url": "https://rustdesk.com/docs/en/"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Transition Address Book API to SRP (Secure Remote Password)"
}
],
"value": "Transition Address Book API to SRP (Secure Remote Password)"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Avoid setting address book passwords; use account-based access only"
}
],
"value": "Avoid setting address book passwords; use account-based access only"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30796",
"datePublished": "2026-03-05T15:30:39.605Z",
"dateReserved": "2026-03-05T14:13:37.203Z",
"dateUpdated": "2026-03-17T14:31:39.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30790 (GCVE-0-2026-30790)
Vulnerability from nvd – Published: 2026-03-05 15:49 – Updated: 2026-03-10 18:26
VLAI
Title
RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force
Summary
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.
This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/rustdesk | product |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server-pro | RustDesk Server Pro |
Affected:
0 , ≤ 1.7.5
(custom)
|
|
| rustdesk-server | RustDesk Server (OSS) |
Affected:
0 , ≤ 1.1.15
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30790",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T18:26:28.818818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T18:26:36.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server-pro/releases",
"defaultStatus": "affected",
"modules": [
"Peer authentication",
"API login"
],
"packageName": "rustdesk-server-pro",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server Pro",
"programRoutines": [
{
"name": "Salt/challenge generation"
},
{
"name": "SHA256(SHA256(pwd+salt)+challenge) verification"
}
],
"vendor": "rustdesk-server-pro",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server/releases",
"defaultStatus": "unaffected",
"modules": [
"Peer authentication",
"API login"
],
"packageName": "rustdesk-server",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server (OSS)",
"programFiles": [
"src/server/connection.rs"
],
"programRoutines": [
{
"name": "Salt/challenge generation"
},
{
"name": "SHA256(SHA256(pwd+salt)+challenge) verification"
}
],
"repo": "https://github.com/rustdesk/rustdesk-server",
"vendor": "rustdesk-server",
"versions": [
{
"changes": [
{
"at": "Server OSS",
"status": "affected"
}
],
"lessThanOrEqual": "1.1.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any password-based authentication"
}
],
"value": "Default \u2014 any password-based authentication"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003esrc/server/connection.Rs\u003c/tt\u003e and program routines \u003ctt\u003eSalt/challenge generation\u003c/tt\u003e, \u003ctt\u003eSHA256(SHA256(pwd+salt)+challenge) verification\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.\u003c/p\u003e"
}
],
"value": "Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.\n\nThis issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available.\u003cbr\u003e"
}
],
"value": "PoC available."
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49 Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:59:25.324Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/rustdesk"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement SRP (Secure Remote Password) for mutual authentication. Add server-side rate limiting."
}
],
"value": "Implement SRP (Secure Remote Password) for mutual authentication. Add server-side rate limiting."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+)."
}
],
"value": "Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+)."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30790",
"datePublished": "2026-03-05T15:49:15.539Z",
"dateReserved": "2026-03-05T14:13:37.202Z",
"dateUpdated": "2026-03-10T18:26:36.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30784 (GCVE-0-2026-30784)
Vulnerability from nvd – Published: 2026-03-05 15:58 – Updated: 2026-03-06 10:29
VLAI
Title
RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check
Summary
Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.
This issue affects RustDesk Server: through 1.7.5, through 1.1.15.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rustdesk.com/docs/en/self-host/ | technical-descriptionproduct |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server | RustDesk Server |
Affected:
0 , ≤ 1.7.5
(custom)
Affected: 0 , ≤ 1.1.15 (custom) |
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30784",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T10:28:27.311766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T10:29:25.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/",
"defaultStatus": "affected",
"modules": [
"Rendezvous server (hbbs)",
"relay server (hbbr)"
],
"packageName": "rustdesk-server, rustdesk-server-pro",
"platforms": [
"hbbs/hbbr on all server platforms"
],
"product": "RustDesk Server",
"programFiles": [
"src/rendezvous_server.rs",
"src/relay_server.rs"
],
"programRoutines": [
{
"name": "handle_punch_hole_request()"
},
{
"name": "RegisterPeer handler"
},
{
"name": "relay forwarding"
}
],
"repo": "https://github.com/rustdesk/rustdesk-server",
"vendor": "rustdesk-server",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"changes": [
{
"at": "Server OSS",
"status": "affected"
}
],
"lessThanOrEqual": "1.1.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any hbbs/hbbr deployment (OSS or Pro)"
}
],
"value": "Default \u2014 any hbbs/hbbr deployment (OSS or Pro)"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003esrc/rendezvous_server.Rs\u003c/tt\u003e, \u003ctt\u003esrc/relay_server.Rs\u003c/tt\u003e and program routines \u003ctt\u003ehandle_punch_hole_request()\u003c/tt\u003e, \u003ctt\u003eRegisterPeer handler\u003c/tt\u003e, \u003ctt\u003erelay forwarding\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server: through 1.7.5, through 1.1.15.\u003c/p\u003e"
}
],
"value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.\n\nThis issue affects RustDesk Server: through 1.7.5, through 1.1.15."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available.\u003cbr\u003e"
}
],
"value": "PoC available."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T17:03:15.491Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"product"
],
"url": "https://rustdesk.com/docs/en/self-host/"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement Signed Session Authorization Tokens validated by hbbs and hbbr"
}
],
"value": "Implement Signed Session Authorization Tokens validated by hbbs and hbbr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords."
}
],
"value": "Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30784",
"datePublished": "2026-03-05T15:58:46.790Z",
"dateReserved": "2026-03-05T14:13:35.407Z",
"dateUpdated": "2026-03-06T10:29:25.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3598 (GCVE-0-2026-3598)
Vulnerability from nvd – Published: 2026-03-05 14:14 – Updated: 2026-03-06 18:18
VLAI
Title
RustDesk Server Generates Config Strings Using Reversible Encoding (Base64 + Reverse) Instead of Encryption
Summary
Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines.
This issue affects RustDesk Server Pro: through 1.7.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rustdesk.com/docs/en/client/ | technical-descriptionx_--config documentation |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server-pro | RustDesk Server Pro |
Affected:
0 , ≤ 1.7.5
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3598",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:18:09.054262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:18:16.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server-pro/releases",
"defaultStatus": "affected",
"modules": [
"Config string generation",
"web console export"
],
"packageName": "rustdesk-server-pro",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server Pro",
"programRoutines": [
{
"name": "Config export/generation routines"
}
],
"vendor": "rustdesk-server-pro",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any deployment using \"Encrypted Config\" strings\u003cbr\u003e"
}
],
"value": "Default \u2014 any deployment using \"Encrypted Config\" strings"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data.\u003cp\u003e This vulnerability is associated with program routines \u003ctt\u003eConfig export/generation routines\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server Pro: through 1.7.5.\u003c/p\u003e"
}
],
"value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines.\n\nThis issue affects RustDesk Server Pro: through 1.7.5."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available. Trivially exploitable.\u003cbr\u003e"
}
],
"value": "PoC available. Trivially exploitable."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-684",
"description": "CWE-684",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:34:14.352Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"x_--config documentation"
],
"url": "https://rustdesk.com/docs/en/client/"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement AES-256-GCM AEAD or equivalent authenticated encryption\u003cbr\u003e"
}
],
"value": "Implement AES-256-GCM AEAD or equivalent authenticated encryption"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Server Generates Config Strings Using Reversible Encoding (Base64 + Reverse) Instead of Encryption",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Treat config strings as public; restrict distribution to trusted channels only\u003cbr\u003e"
}
],
"value": "Treat config strings as public; restrict distribution to trusted channels only"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-3598",
"datePublished": "2026-03-05T14:14:11.125Z",
"dateReserved": "2026-03-05T13:26:50.447Z",
"dateUpdated": "2026-03-06T18:18:16.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30784 (GCVE-0-2026-30784)
Vulnerability from cvelistv5 – Published: 2026-03-05 15:58 – Updated: 2026-03-06 10:29
VLAI
Title
RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check
Summary
Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.
This issue affects RustDesk Server: through 1.7.5, through 1.1.15.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rustdesk.com/docs/en/self-host/ | technical-descriptionproduct |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server | RustDesk Server |
Affected:
0 , ≤ 1.7.5
(custom)
Affected: 0 , ≤ 1.1.15 (custom) |
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30784",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T10:28:27.311766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T10:29:25.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/",
"defaultStatus": "affected",
"modules": [
"Rendezvous server (hbbs)",
"relay server (hbbr)"
],
"packageName": "rustdesk-server, rustdesk-server-pro",
"platforms": [
"hbbs/hbbr on all server platforms"
],
"product": "RustDesk Server",
"programFiles": [
"src/rendezvous_server.rs",
"src/relay_server.rs"
],
"programRoutines": [
{
"name": "handle_punch_hole_request()"
},
{
"name": "RegisterPeer handler"
},
{
"name": "relay forwarding"
}
],
"repo": "https://github.com/rustdesk/rustdesk-server",
"vendor": "rustdesk-server",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"changes": [
{
"at": "Server OSS",
"status": "affected"
}
],
"lessThanOrEqual": "1.1.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any hbbs/hbbr deployment (OSS or Pro)"
}
],
"value": "Default \u2014 any hbbs/hbbr deployment (OSS or Pro)"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003esrc/rendezvous_server.Rs\u003c/tt\u003e, \u003ctt\u003esrc/relay_server.Rs\u003c/tt\u003e and program routines \u003ctt\u003ehandle_punch_hole_request()\u003c/tt\u003e, \u003ctt\u003eRegisterPeer handler\u003c/tt\u003e, \u003ctt\u003erelay forwarding\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server: through 1.7.5, through 1.1.15.\u003c/p\u003e"
}
],
"value": "Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding.\n\nThis issue affects RustDesk Server: through 1.7.5, through 1.1.15."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available.\u003cbr\u003e"
}
],
"value": "PoC available."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T17:03:15.491Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"product"
],
"url": "https://rustdesk.com/docs/en/self-host/"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement Signed Session Authorization Tokens validated by hbbs and hbbr"
}
],
"value": "Implement Signed Session Authorization Tokens validated by hbbs and hbbr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk hbbs/hbbr Servers Broker Connections Without Any Authorization Check",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords."
}
],
"value": "Restrict network access to hbbs/hbbr ports (21116, 21117) via firewall. Use strong passwords."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30784",
"datePublished": "2026-03-05T15:58:46.790Z",
"dateReserved": "2026-03-05T14:13:35.407Z",
"dateUpdated": "2026-03-06T10:29:25.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30790 (GCVE-0-2026-30790)
Vulnerability from cvelistv5 – Published: 2026-03-05 15:49 – Updated: 2026-03-10 18:26
VLAI
Title
RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force
Summary
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.
This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/rustdesk | product |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server-pro | RustDesk Server Pro |
Affected:
0 , ≤ 1.7.5
(custom)
|
|
| rustdesk-server | RustDesk Server (OSS) |
Affected:
0 , ≤ 1.1.15
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30790",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T18:26:28.818818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T18:26:36.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server-pro/releases",
"defaultStatus": "affected",
"modules": [
"Peer authentication",
"API login"
],
"packageName": "rustdesk-server-pro",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server Pro",
"programRoutines": [
{
"name": "Salt/challenge generation"
},
{
"name": "SHA256(SHA256(pwd+salt)+challenge) verification"
}
],
"vendor": "rustdesk-server-pro",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server/releases",
"defaultStatus": "unaffected",
"modules": [
"Peer authentication",
"API login"
],
"packageName": "rustdesk-server",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server (OSS)",
"programFiles": [
"src/server/connection.rs"
],
"programRoutines": [
{
"name": "Salt/challenge generation"
},
{
"name": "SHA256(SHA256(pwd+salt)+challenge) verification"
}
],
"repo": "https://github.com/rustdesk/rustdesk-server",
"vendor": "rustdesk-server",
"versions": [
{
"changes": [
{
"at": "Server OSS",
"status": "affected"
}
],
"lessThanOrEqual": "1.1.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any password-based authentication"
}
],
"value": "Default \u2014 any password-based authentication"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003esrc/server/connection.Rs\u003c/tt\u003e and program routines \u003ctt\u003eSalt/challenge generation\u003c/tt\u003e, \u003ctt\u003eSHA256(SHA256(pwd+salt)+challenge) verification\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.\u003c/p\u003e"
}
],
"value": "Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.\n\nThis issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available.\u003cbr\u003e"
}
],
"value": "PoC available."
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49 Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-916",
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:59:25.324Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/rustdesk"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement SRP (Secure Remote Password) for mutual authentication. Add server-side rate limiting."
}
],
"value": "Implement SRP (Secure Remote Password) for mutual authentication. Add server-side rate limiting."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+)."
}
],
"value": "Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+)."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30790",
"datePublished": "2026-03-05T15:49:15.539Z",
"dateReserved": "2026-03-05T14:13:37.202Z",
"dateUpdated": "2026-03-10T18:26:36.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30796 (GCVE-0-2026-30796)
Vulnerability from cvelistv5 – Published: 2026-03-05 15:30 – Updated: 2026-03-17 14:31
VLAI
Title
RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol
Summary
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext).
This issue affects RustDesk Server Pro: through 1.7.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rustdesk.com/docs/en/ | technical-descriptionx_--config documentation |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server-pro | RustDesk Server Pro |
Affected:
0 , ≤ 1.7.5
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30796",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T14:31:35.721954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T14:31:39.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server-pro/releases",
"defaultStatus": "affected",
"modules": [
"Address book sync API"
],
"packageName": "rustdesk-server-pro",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server Pro",
"programFiles": [
"Closed source \u2014 API endpoint handling heartbeat sync"
],
"programRoutines": [
{
"name": "Heartbeat API handler (accepts preset-address-book-password in plaintext)"
}
],
"vendor": "rustdesk-server-pro",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pro server with address book feature in use"
}
],
"value": "Pro server with address book feature in use"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eClosed source \u2014 API endpoint handling heartbeat sync\u003c/tt\u003e and program routines \u003ctt\u003eHeartbeat API handler (accepts preset-address-book-password in plaintext)\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server Pro: through 1.7.5.\u003c/p\u003e"
}
],
"value": "Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source \u2014 API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext).\n\nThis issue affects RustDesk Server Pro: through 1.7.5."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available. Trivially exploitable.\u003cbr\u003e"
}
],
"value": "PoC available. Trivially exploitable."
}
],
"impacts": [
{
"capecId": "CAPEC-157",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-157 Sniffing Attacks"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:51:07.744Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"x_--config documentation"
],
"url": "https://rustdesk.com/docs/en/"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Transition Address Book API to SRP (Secure Remote Password)"
}
],
"value": "Transition Address Book API to SRP (Secure Remote Password)"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Avoid setting address book passwords; use account-based access only"
}
],
"value": "Avoid setting address book passwords; use account-based access only"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30796",
"datePublished": "2026-03-05T15:30:39.605Z",
"dateReserved": "2026-03-05T14:13:37.203Z",
"dateUpdated": "2026-03-17T14:31:39.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3598 (GCVE-0-2026-3598)
Vulnerability from cvelistv5 – Published: 2026-03-05 14:14 – Updated: 2026-03-06 18:18
VLAI
Title
RustDesk Server Generates Config Strings Using Reversible Encoding (Base64 + Reverse) Instead of Encryption
Summary
Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines.
This issue affects RustDesk Server Pro: through 1.7.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rustdesk.com/docs/en/client/ | technical-descriptionx_--config documentation |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-server-pro | RustDesk Server Pro |
Affected:
0 , ≤ 1.7.5
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3598",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:18:09.054262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:18:16.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk-server-pro/releases",
"defaultStatus": "affected",
"modules": [
"Config string generation",
"web console export"
],
"packageName": "rustdesk-server-pro",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "RustDesk Server Pro",
"programRoutines": [
{
"name": "Config export/generation routines"
}
],
"vendor": "rustdesk-server-pro",
"versions": [
{
"changes": [
{
"at": "Server Pro",
"status": "affected"
}
],
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 any deployment using \"Encrypted Config\" strings\u003cbr\u003e"
}
],
"value": "Default \u2014 any deployment using \"Encrypted Config\" strings"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "1.7.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data.\u003cp\u003e This vulnerability is associated with program routines \u003ctt\u003eConfig export/generation routines\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Server Pro: through 1.7.5.\u003c/p\u003e"
}
],
"value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines.\n\nThis issue affects RustDesk Server Pro: through 1.7.5."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available. Trivially exploitable.\u003cbr\u003e"
}
],
"value": "PoC available. Trivially exploitable."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-684",
"description": "CWE-684",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:34:14.352Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"x_--config documentation"
],
"url": "https://rustdesk.com/docs/en/client/"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Implement AES-256-GCM AEAD or equivalent authenticated encryption\u003cbr\u003e"
}
],
"value": "Implement AES-256-GCM AEAD or equivalent authenticated encryption"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk Server Generates Config Strings Using Reversible Encoding (Base64 + Reverse) Instead of Encryption",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Treat config strings as public; restrict distribution to trusted channels only\u003cbr\u003e"
}
],
"value": "Treat config strings as public; restrict distribution to trusted channels only"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-3598",
"datePublished": "2026-03-05T14:14:11.125Z",
"dateReserved": "2026-03-05T13:26:50.447Z",
"dateUpdated": "2026-03-06T18:18:16.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}