Description
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification.

This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Published: 2026-03-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Brute‑Force
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from the RustDesk Server’s use of a weak, double‑SHA256 password hash combined with an entropy‑controlled challenge that can be captured and replayed. Authentication attempts are not throttled, allowing an attacker to submit credentials repeatedly. Because the hash function is computationally inexpensive, an attacker can perform offline or online brute‑force attacks to quickly derive valid passwords and gain unauthorized access to the server.

Affected Systems

Affected deployments are RustDesk Server Pro up to version 1.7.5 and the open‑source RustDesk Server (OSS) up to 1.1.15. The flaw is present on all supported operating systems—Windows, macOS, and Linux—as it exists in the peer authentication and API login modules.

Risk and Exploitability

The CVSS base score of 9.3 signals critical severity, while the EPSS score of less than 1% indicates a low current exploitation probability. The server does not enforce rate limiting and relies on a fast hash, which together increase the feasibility of brute‑force attacks. The vulnerability is not yet listed in CISA’s KEV catalog. Attackers who can obtain the challenge and salt can test password guesses offline with minimal effort, making the risk tangible for any exposed installation.

Generated by OpenCVE AI on April 17, 2026 at 12:43 UTC.

Remediation

Vendor Solution

Implement SRP (Secure Remote Password) for mutual authentication. Add server-side rate limiting.

Vendor Workaround

Use long (16+ char) random passwords. Enable 2FA where available. Deploy rate-limiting (e.g., fail2ban on OSS 1.1.15+).

OpenCVE Recommended Actions

  • Upgrade to a patched release of RustDesk Server Pro beyond 1.7.5 or RustDesk Server OSS beyond 1.1.15, which implements SRP authentication and adds server‑side rate limiting.
  • Configure server‑side rate limiting for authentication requests, such as deploying fail2ban or an equivalent mechanism on the OSS version.
  • Enforce strong passwords of at least 16 random characters and enable two‑factor authentication where the client and server support it.

Generated by OpenCVE AI on April 17, 2026 at 12:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk Server
CPEs cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:oss:*:*:*
cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk Server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Rustdesk-server
Rustdesk-server rustdesk Server
Rustdesk-server rustdesk Server Pro
Vendors & Products Rustdesk-server
Rustdesk-server rustdesk Server
Rustdesk-server rustdesk Server Pro

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification. This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Title RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force
Weaknesses CWE-307
CWE-916
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Macos
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk Server
Rustdesk-server Rustdesk Server Rustdesk Server Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-10T18:26:36.250Z

Reserved: 2026-03-05T14:13:37.202Z

Link: CVE-2026-30790

cve-icon Vulnrichment

Updated: 2026-03-05T16:30:43.098Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:19.703

Modified: 2026-03-25T15:43:09.427

Link: CVE-2026-30790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses