CVE-2026-30790
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.
This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rustdesk-server-pro | RustDesk Server Pro | 0 <= 1.7.5 | affected |
| rustdesk-server | RustDesk Server (OSS) | 0 <= 1.1.15 | affected |
Weaknesses
- CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts
- CWE-916: CWE-916 Use of Password Hash With Insufficient Computational Effort
Workarounds
Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+).
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
- https://github.com/rustdesk
- https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub
- https://www.vulsec.org/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.