Description
Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines.

This issue affects RustDesk Server Pro: through 1.7.5.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unintended disclosure of sensitive configuration data
Action: Apply patch
AI Analysis

Impact

RustDesk Server Pro generates configuration strings that are intended to be confidential but are produced using a reversible encoding scheme (Base64 followed by a reverse operation) instead of authenticated encryption. This flaw is a classic example of the use of a broken or risky cryptographic algorithm (CWE-327) combined with improper handling of sensitive data (CWE-684). The consequence is that anyone who can access the exported configuration will be able to recover content such as usernames, passwords, or other secrets, leading to confidentiality loss and potentially resulting in credential compromise or session hijacking. The vulnerability is not a code‑execution flaw, but the leakage of secrets can empower further attacks.

Affected Systems

The issue covers RustDesk Server Pro on Windows, macOS, and Linux platforms, affecting all releases up through version 1.7.5. The configuration export and web console modules on these operating systems are the affected components.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score is listed as less than 1 %, suggesting a very low but nonzero probability of exploitation at the time of assessment, and the vulnerability has not been recorded in the CISA KEV catalog. The likely attack vector inferred from the description is that an attacker with access to the server’s web console or the export API could simply trigger a configuration export and then decode the reversible string to obtain sensitive information. Successful exploitation requires authentication to the server but does not require elevated privileges beyond those needed to invoke the export functionality.

Generated by OpenCVE AI on April 17, 2026 at 12:45 UTC.

Remediation

Vendor Solution

Implement AES-256-GCM AEAD or equivalent authenticated encryption

Vendor Workaround

Treat config strings as public; restrict distribution to trusted channels only

OpenCVE Recommended Actions

  • Upgrade RustDesk Server Pro to a version that replaces reversible encoding with AES‑256‑GCM authenticated encryption, following the official solution advisories.
  • If an upgrade cannot be applied immediately, treat the exported configuration strings as public and restrict their distribution to trusted, internal channels only, as recommended by the workaround.
  • Regenerate any configuration data that has already been exported and revoke any credentials that may have been exposed, then re‑issue fresh values to prevent downstream compromise.

Generated by OpenCVE AI on April 17, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk Server
CPEs cpe:2.3:a:rustdesk:rustdesk_server:*:*:*:*:pro:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Rustdesk
Rustdesk rustdesk Server
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Sat, 07 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Config string generation, web console export modules) allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routines Config export/generation routines. This issue affects RustDesk Server Pro: through 1.7.5.
Title RustDesk Server Generates Config Strings Using Reversible Encoding (Base64 + Reverse) Instead of Encryption
First Time appeared Rustdesk-server-pro
Rustdesk-server-pro rustdesk Server Pro
Weaknesses CWE-327
CWE-684
CPEs cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:linux:*:*:*:*:*
cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:macos:*:*:*:*:*
cpe:2.3:a:rustdesk-server-pro:rustdesk_server_pro:*:*:windows:*:*:*:*:*
Vendors & Products Rustdesk-server-pro
Rustdesk-server-pro rustdesk Server Pro
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apple Macos
Linux Linux Kernel
Microsoft Windows
Rustdesk Rustdesk Server
Rustdesk-server-pro Rustdesk Server Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VULSec

Published:

Updated: 2026-03-06T18:18:16.491Z

Reserved: 2026-03-05T13:26:50.447Z

Link: CVE-2026-3598

cve-icon Vulnrichment

Updated: 2026-03-06T18:18:12.879Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T15:16:15.167

Modified: 2026-03-25T16:35:12.760

Link: CVE-2026-3598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:11Z

Weaknesses