CVE-2026-30790 PUBLISHED

RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force

Assigner: VULSec
Reserved: 05.03.2026 Published: 05.03.2026 Updated: 05.03.2026

Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.

This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor rustdesk-server-pro
Product RustDesk Server Pro
Versions Default: affected
  • affected from 0 to 1.7.5 (incl.)
Vendor rustdesk-server
Product RustDesk Server (OSS)
Versions Default: unaffected
  • affected from 0 to 1.1.15 (incl.)

Affected Configurations

Default — any password-based authentication

Exploits

PoC available.

Workarounds

Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+).

Solutions

Implement SRP (Secure Remote Password) for mutual authentication. Add server-side rate limiting.

Credits

  • Erez Kalman finder
  • Erez Kalman reporter

References

Problem Types

  • CWE-307 Improper Restriction of Excessive Authentication Attempts CWE
  • CWE-916 Use of Password Hash With Insufficient Computational Effort CWE

Impacts

  • CAPEC-49 Password Brute Forcing