CVE-2024-25140 Overview
A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3), valid from 2023 until 2033. This improper certificate validation vulnerability (CWE-295) introduces significant security risks to affected systems. The certificate installation is potentially unwanted because there is no public documentation of security measures for the private key, and arbitrary software could be signed if the private key were to be compromised.
Critical Impact
A compromised test certificate private key could allow attackers to sign arbitrary malicious software that would be trusted by all systems where RustDesk has been installed, enabling widespread code execution attacks.
Affected Products
- RustDesk 1.2.3 on Windows
- Microsoft Windows (all versions where RustDesk is installed)
- Systems with the WDKTestCert certificate in Trusted Root Certification Authorities
Discovery Timeline
- 2024-02-06 - CVE-2024-25140 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-25140
Vulnerability Analysis
This vulnerability stems from RustDesk's approach to code signing on Windows systems. Due to the lack of an Extended Validation (EV) certificate, the developers opted to use a Windows Driver Kit (WDK) test certificate as a workaround. When users install RustDesk 1.2.3, the installer adds the WDKTestCert to the Windows Trusted Root Certification Authorities store with Code Signing capabilities.
The fundamental issue is that this test certificate was never intended for production use in a trust hierarchy. The certificate has a 10-year validity period (2023-2033), and critically, there is no public documentation regarding the security controls protecting the associated private key. If an attacker were to obtain the private key through any means—social engineering, infrastructure compromise, or insider threat—they could sign arbitrary executables that would be implicitly trusted by any Windows system where RustDesk has been installed.
Root Cause
The root cause is the use of a test certificate in a production environment combined with improper certificate trust management. The vendor has acknowledged this was intentional behavior, stating they "do not have EV cert, so we use test cert as a workaround." While the installer UI does display the certificate installation step (which is checked by default), many users may not understand the security implications of adding a test certificate to their root trust store. This represents a CWE-295 (Improper Certificate Validation) vulnerability where the trust model is fundamentally flawed.
Attack Vector
The attack scenario involves an adversary who obtains the WDKTestCert private key through compromise of the development infrastructure, supply chain attack, or other means. Once in possession of the private key, the attacker can:
- Sign arbitrary malicious executables with the trusted certificate
- Distribute malware that Windows systems with RustDesk installed will trust implicitly
- Bypass security controls that rely on code signing verification
- Potentially establish persistence through signed drivers or system components
Since the certificate is installed in the Trusted Root Certification Authorities store, Windows will inherently trust any code signed with this certificate without additional verification. The network-based attack vector allows remote exploitation scenarios where signed malicious payloads can be delivered through various channels.
For technical details on the certificate installation behavior and community discussion, see the GitHub Discussion on Rustdesk and the related Hacker News discussion.
Detection Methods for CVE-2024-25140
Indicators of Compromise
- Presence of WDKTestCert certificate in the Trusted Root Certification Authorities store (certmgr.msc)
- Certificate with OID 1.3.6.1.5.5.7.3.3 (Code Signing) and validity period 2023-2033
- Executables signed with the WDKTestCert that are not legitimate RustDesk components
- Unexpected signed applications appearing after RustDesk installation
Detection Strategies
- Query the Windows certificate store for test certificates with Code Signing EKU using PowerShell: Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*WDKTestCert*"}
- Implement certificate store monitoring to alert on additions to Trusted Root Certification Authorities
- Use endpoint detection tools to identify executables signed with the WDKTestCert that are not part of legitimate RustDesk installations
- Deploy application whitelisting to control which signed applications can execute
Monitoring Recommendations
- Enable Windows certificate store auditing via Group Policy to log certificate additions
- Configure SentinelOne to monitor for unsigned or suspiciously signed code execution
- Implement network monitoring for connections to RustDesk infrastructure from unexpected systems
- Regularly audit installed certificates across enterprise endpoints using centralized management tools
How to Mitigate CVE-2024-25140
Immediate Actions Required
- Audit all Windows systems for the presence of the WDKTestCert in Trusted Root Certification Authorities
- Remove the WDKTestCert certificate from systems where RustDesk is no longer needed
- Consider alternative remote desktop solutions that use properly validated code signing certificates
- If RustDesk is required, uncheck the certificate installation option during setup and evaluate alternative installation methods
- Implement application control policies to restrict execution of code signed by test certificates
Patch Information
The vendor has acknowledged this behavior as intentional due to the lack of an EV certificate. As of the last modification date (2024-11-21), there is no official patch that changes this certificate handling behavior. Organizations should monitor the RustDesk GitHub repository for updates regarding proper code signing implementation.
Workarounds
- Manually remove the WDKTestCert from the certificate store after installation using certmgr.msc or PowerShell commands
- Use Group Policy to block or remove specific untrusted certificates across enterprise environments
- Deploy RustDesk through managed installation that explicitly opts out of certificate installation
- Implement Software Restriction Policies or Windows Defender Application Control (WDAC) to block execution of code signed by test certificates
- Consider network segmentation to limit exposure of systems with the vulnerable certificate installed
# PowerShell command to identify and remove the WDKTestCert
# List certificates matching WDKTestCert in Trusted Root CA store
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*WDKTestCert*"} | Format-List Subject, Thumbprint, NotAfter
# Remove the certificate (requires Administrator privileges)
# Replace THUMBPRINT with the actual certificate thumbprint from the above command
# Get-ChildItem Cert:\LocalMachine\Root\THUMBPRINT | Remove-Item
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
