Description
Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines stop-service handler in heartbeat loop.

This issue affects RustDesk Client: through 1.4.5.
Published: 2026-03-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Service Stop (Denial of Service)
Action: Immediate Patch
AI Analysis

Impact

Insufficient verification of data authenticity in the RustDesk Client allows an unauthenticated user to send a malicious strategy payload that triggers the stop-service handler. Because the client accepts the payload without validating its source or integrity, an attacker can terminate the client process or any related remote services. This flaw corresponds to CWE‑345 (broken authentication) and CWE‑755 (improper handling of exceptional conditions), and results in a denial of service and potential disruption of remote desktop sessions.

Affected Systems

Affected systems include the RustDesk Client for Windows, macOS, Linux, iOS, and Android running version 1.4.5 or earlier. The vulnerability resides in the heartbeat sync loop and strategy processing modules, particularly in src/hbbs_http/sync.rs and the stop-service routine.

Risk and Exploitability

With a CVSS score of 8.2, the vulnerability is high severity, yet the EPSS score is below 1 %, indicating a low probability of exploitation at this time. The attack vector is likely remote, requiring the client to establish a connection to a malicious server that sends a crafted strategy payload. The client’s current lack of authentication checks makes the vulnerability exploitable by anyone who can reach the heartbeat sync endpoint. The vulnerability is not listed in the CISA KEV catalog, but administrators should still consider the high CVSS score and potential impact when assessing risk.

Generated by OpenCVE AI on April 16, 2026 at 04:42 UTC.

Remediation

Vendor Solution

Remove remote kill logic, or require time-limited signed payloads

Vendor Workaround

None effective

OpenCVE Recommended Actions

  • Upgrade RustDesk Client to a version newer than 1.4.5 where the stop-service command requires signed payloads or is disabled.
  • If upgrade is not possible, modify the client configuration to disable remote kill logic or prevent acceptance of strategy payloads that trigger service termination.
  • Implement network monitoring to detect anomalous strategy payloads targeting the heartbeat sync loop and alert administrators of suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
CPEs cpe:2.3:a:rustdesk:rustdesk:*:*:*:*:-:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple iphone Os
Apple macos
Google
Google android
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Heartbeat sync loop, strategy processing modules) allows Protocol Manipulation. This vulnerability is associated with program files src/hbbs_http/sync.Rs and program routines stop-service handler in heartbeat loop. This issue affects RustDesk Client: through 1.4.5.
Title RustDesk Client Accepts Unauthenticated stop-service Command via Strategy Payload
First Time appeared Rustdesk-client
Rustdesk-client rustdesk Client
Weaknesses CWE-345
CWE-755
CPEs cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-client
Rustdesk-client rustdesk Client
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Apple Iphone Os Macos
Google Android
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk
Rustdesk-client Rustdesk Client
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-17T14:32:22.806Z

Reserved: 2026-03-05T14:13:37.203Z

Link: CVE-2026-30798

cve-icon Vulnrichment

Updated: 2026-03-05T16:31:53.181Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T16:16:21.333

Modified: 2026-03-10T20:25:39.497

Link: CVE-2026-30798

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:45:16Z

Weaknesses