CVE-2026-30790 rustdesk-client CVE debrief

Who should care

Defenders who use RustDesk Client, especially those using Server Pro, should prioritize patching and review their current configurations to limit exposure. This vulnerability has a CVSS score of 9.3 and is considered critical.

Technical summary

The vulnerability is caused by the use of a fast double SHA256 over a server-controlled salt and challenge with no slow KDF, making it vulnerable to offline password brute forcing. The controlled-host peer authentication channel is not affected due to the use of XSalsa20-Poly1305 secretbox session. However, the Server Pro /api login path is vulnerable due to the use of TLS alone and an automatic invalid-certificate downgrade.

Defensive priority

High priority due to critical CVSS score and potential for interception and offline password brute forcing.

Recommended defensive actions

• Apply patches to RustDesk Client versions through 1.4.8
• Review and update Server Pro configurations to use secure authentication channels
• Implement additional security measures such as multi-factor authentication
• Monitor for suspicious activity and implement incident response plans
• Review and update incident response plans to address potential exploitation

Evidence notes

The primary evidence for this vulnerability is the CVE record and the NVD detail page. The vulnerability affects RustDesk Client versions through 1.4.8. Defenders should verify the affected products and versions from official sources.

Official resources