Description
Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext).

This issue affects RustDesk Server Pro: through 1.7.5.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Plaintext Credential Exposure
Action: Apply Fix
AI Analysis

Impact

The vulnerable RustDesk Server Pro exposes the preset address book password in plaintext when synchronizing over the heartbeat API. This cleartext transmission allows an attacker who can sniff network traffic to capture the password and potentially access the user's address book. Based on the description, it is inferred that this credential exposure could compromise the confidentiality of stored address book entries.

Affected Systems

The flaw is present in RustDesk Server Pro on Windows, macOS, and Linux platforms and applies to all releases through version 1.7.5. The API endpoint involved is part of the server's heartbeat and synchronization modules. Any deployment of RustDesk Server Pro older than or equal to 1.7.5 is susceptible.

Risk and Exploitability

The likely attack vector is passive sniffing of traffic between the client and the server. Based on the description, it is inferred that an attacker might also tamper with packets to send a plaintext password, though this is not explicitly stated. The vulnerability carries a CVSS score of 8.7, indicating high severity, but its EPSS score is below 1 %, suggesting a very low probability that exploitation will occur in the wild. The flaw is not listed in CISA's KEV catalog at this time.

Generated by OpenCVE AI on April 16, 2026 at 12:21 UTC.

Remediation

Vendor Solution

Transition Address Book API to SRP (Secure Remote Password)

Vendor Workaround

Avoid setting address book passwords; use account-based access only

OpenCVE Recommended Actions

  • Upgrade to a RustDesk Server Pro release that implements SRP for the address book API, per the vendor’s official recommendation.
  • If an upgrade cannot be performed immediately, avoid configuring address book passwords and use account‑based authentication only, following the provided workaround.
  • Ensure that all traffic to and from the RustDesk Server Pro instance is protected by TLS or transmitted over a secure VPN tunnel to mitigate the risk of network sniffing.

Generated by OpenCVE AI on April 16, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
Vendors & Products Rustdesk rustdesk

Wed, 25 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Rustdesk rustdesk Server
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:webclient:*:*:*
cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Rustdesk rustdesk Server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 07 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Cleartext Transmission of Sensitive Information vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Address book sync API modules) allows Sniffing Attacks. This vulnerability is associated with program files Closed source — API endpoint handling heartbeat sync and program routines Heartbeat API handler (accepts preset-address-book-password in plaintext). This issue affects RustDesk Server Pro: through 1.7.5.
Title RustDesk Server Pro API Requires Address Book Password in Plaintext for Sync Protocol
First Time appeared Rustdesk-server-pro
Rustdesk-server-pro rustdesk Server Pro
Weaknesses CWE-319
CPEs cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-server-pro
Rustdesk-server-pro rustdesk Server Pro
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Macos
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk Server
Rustdesk-server-pro Rustdesk Server Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-17T14:31:39.098Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30796

cve-icon Vulnrichment

Updated: 2026-03-05T16:34:58.670Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:21.007

Modified: 2026-03-25T17:50:45.090

Link: CVE-2026-30796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses