Impact
The vulnerability in RustDesk Client arises from the way the Server Pro /api login proof is constructed and transmitted. A double‑SHA256 hash over a server‑controlled salt and challenge is sent in cleartext over the HTTP management channel, protected only by TLS. When an invalid server certificate is automatically downgraded to an insecure connection, the hash is exposed. An attacker who captures this traffic can recover the hash and perform offline brute‑force attacks with minimal computational effort, gaining access to user accounts. The peer‑to‑peer authentication channel remains secure because it employs host‑key verification and XSalsa20‑Poly1305 encryption before the login proof is sent.
Affected Systems
Affected deployments are RustDesk Client version 1.4.8 and earlier on all supported operating systems: Windows, macOS, Linux, iOS, and Android.
Risk and Exploitability
The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1% shows a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Attackers can offline brute‑force the reproduced hash with very little effort if they obtain the challenge and salt, so the risk is significant for exposed installations that lack other mitigations.
OpenCVE Enrichment