CVE-2026-30790

Summary

Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.

This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.

Affected Software

VendorProductVersion RangeStatus
rustdesk-server-proRustDesk Server Pro0 <= 1.7.5affected
rustdesk-serverRustDesk Server (OSS)0 <= 1.1.15affected

Weaknesses

  • CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts
  • CWE-916: CWE-916 Use of Password Hash With Insufficient Computational Effort

Workarounds

Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+).

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References