Description
Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation.

This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines stop-service handler in heartbeat loop.



This issue affects RustDesk Client: through 1.4.8.
Published: 2026-03-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient verification of data authenticity and improper handling of exceptional conditions in the RustDesk Client allow protocol manipulation. The flaw in the heartbeat sync loop and strategy processing modules enables an unauthenticated attacker to send a malicious strategy payload containing a stop‑service command. The client accepts this payload without validating its source or integrity, allowing the attacker to terminate the client process or any associated remote services. The flaw corresponds to CWE‑345 and CWE‑755 and results in a denial of service and potential disruption of remote desktop sessions.

Affected Systems

Affected systems include the RustDesk Client for Windows, macOS, Linux, iOS, and Android. The vulnerability affects all versions through 1.4.8. It resides in the heartbeat sync loop and strategy processing modules, particularly the program files src/hbbs_http/sync.rs and the stop-service handler.

Risk and Exploitability

With a CVSS score of 8.2, the vulnerability is high severity, yet the EPSS score is below 1 %, indicating a low probability of exploitation at this time. The attack vector is likely remote, requiring the client to establish a connection to a malicious server that sends a crafted strategy payload. The client’s current lack of authentication checks makes the vulnerability exploitable by anyone who can reach the heartbeat sync endpoint. The vulnerability is not listed in the CISA KEV catalog, but administrators should still consider the high CVSS score and potential impact when assessing risk.

Generated by OpenCVE AI on June 22, 2026 at 11:51 UTC.

Remediation

Vendor Solution

Remove remote kill logic, or require time-limited signed payloads

Vendor Workaround

None effective

OpenCVE Recommended Actions

  • Upgrade to the latest RustDesk Client release that implements the vendor’s fix—removing remote kill logic and requiring time‑limited signed payloads.
  • If an upgrade cannot be applied immediately, configure firewall or network access controls to block or restrict traffic to the heartbeat sync endpoint, allowing only trusted connections.
  • As a temporary measure, disable the stop‑service feature by removing or commenting out the stop‑service handler in the client’s configuration or source code, if such a toggle is available.

Generated by OpenCVE AI on June 22, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines stop-service handler in heartbeat loop. This issue affects RustDesk Client: through 1.4.5. Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines stop-service handler in heartbeat loop. This issue affects RustDesk Client: through 1.4.8.

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:-:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines stop-service handler in heartbeat loop. This issue affects RustDesk Client: through 1.4.5.
Title RustDesk Client Accepts Unauthenticated stop-service Command via Strategy Payload
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-345
CWE-755
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-06-22T08:25:22.164Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30798

cve-icon Vulnrichment

Updated: 2026-03-05T16:31:53.181Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:21.333

Modified: 2026-06-17T10:32:56.347

Link: CVE-2026-30798

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T12:00:05Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-755

    Improper Handling of Exceptional Conditions