The vulnerability in RustDesk Client arises from improper handling of password security, including the use of a weak password hash with insufficient computational effort, a fixed zero nonce, and a world‑readable machine ID. These weaknesses enable prototype pollution through the hbb_common library and allow an attacker to read encrypted configuration files, ultimately retrieving embedded local passwords or other sensitive data. The flaw leverages CWE‑1321, CWE‑257, CWE‑323, and CWE‑916 weaknesses in the encryption and key derivation process. The consequence is a compromise of user confidentiality, potentially exposing credentials used to authenticate to remote peers or other services. No information is given about denial of service or integrity tampering, only the confidentiality impact.

RustDesk Client versions up to and including 1.4.5 on Windows, macOS, and Linux are affected. The issue is present in the password security module, config encryption module, and machine UID generation code of the RustDesk Client.

The CVSS score of 8.2 indicates a high severity, while the EPSS score of <1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is most likely local, requiring access to the client’s configuration files, though an attacker who can place a crafted prototype pollution payload could potentially exploit the weakness remotely if the client parses untrusted data. Because the compromised data include passwords stored in plain‑text form within the configuration, an attacker with sufficient access can mount credential‑stuffing or further attacks against other systems. Given the severity, organizations running affected versions should prioritize remediation.