Impact
The vulnerability in RustDesk Client permits the manipulation of application API messages via a Man‑in‑the‑Middle attack, enabling an attacker to inject strategy payloads that are blindly merged into the client’s configuration during synchronization. Because no authentication checks are performed, these payloads can modify security settings, bypassing local security controls and potentially granting the attacker elevated privileges or persistent control over the client environment.
Affected Systems
All versions of the RustDesk Client up to and including 1.4.8 on Windows, macOS, Linux, iOS, Android, and the WebClient are affected. The weakness resides in the client’s configuration engine, specifically the strategy merge loop and the Config::set_options function.
Risk and Exploitability
Based on the updated description, the likely attack vector involves a Man‑in‑the‑Middle intercepting unsecured API messages to inject strategy payloads that are blindly merged during configuration synchronization. The exploitation occurs through an unauthenticated API message manipulation channel, enabling the attacker to alter or replace configuration options. This bypasses local security settings and can potentially grant the attacker elevated privileges or persistent control over the client environment. The vulnerability carries a CVSS score of 8.3, indicating high severity. The EPSS score is below 1 %, suggesting a low but non‑zero probability of public exploitation, and the issue is not listed in the CISA KEV catalog. Once an unauthenticated strategy payload is merged, the attacker can change security‑related settings, effectively elevating privileges or establishing a foothold. Because no effective workaround exists, immediate mitigation through an upgrade or proper runtime checks is essential.
OpenCVE Enrichment