CVE-2026-2490 Overview
CVE-2026-2490 is a link following information disclosure vulnerability affecting RustDesk Client for Windows. This vulnerability allows local attackers to disclose sensitive information on affected installations by exploiting the Transfer File feature. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Transfer File feature. By uploading a symbolic link, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM, potentially exposing sensitive system configurations, credentials, and other protected data.
Critical Impact
Local attackers with low-privilege access can read arbitrary files with SYSTEM-level permissions through symbolic link abuse in the Transfer File feature, potentially exposing sensitive credentials and system configurations.
Affected Products
- RustDesk Client for Windows (affected versions not specified)
Discovery Timeline
- 2026-02-20 - CVE-2026-2490 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-2490
Vulnerability Analysis
This vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink or link following vulnerability. The flaw resides in how RustDesk Client for Windows handles file transfers, specifically when processing symbolic links during file upload operations.
The Transfer File feature fails to properly validate whether uploaded files are symbolic links pointing to sensitive system locations. When a low-privileged user creates a symbolic link pointing to a protected file (such as system configuration files or credential stores) and uploads it through the RustDesk file transfer mechanism, the service resolves the link and reads the target file with SYSTEM privileges rather than the user's restricted permissions.
This vulnerability requires local access with the ability to execute low-privileged code, meaning an attacker would need some initial foothold on the target system. However, once exploited, the information disclosed could facilitate further attacks or privilege escalation.
Root Cause
The root cause of this vulnerability lies in insufficient validation of file types during the file transfer process. The RustDesk service running with SYSTEM privileges processes file upload requests without checking if the source file is a symbolic link or verifying that the requesting user has legitimate access to the link's target. This allows the elevated service to inadvertently act as a proxy for accessing files that the low-privileged user would not normally be able to read.
The absence of proper link resolution checks and access control validation before file operations enables the privilege boundary to be bypassed through symbolic link manipulation.
Attack Vector
The attack requires local access to the target Windows system. An attacker with low-privileged code execution capability can exploit this vulnerability through the following general approach:
- The attacker creates a symbolic link in a user-accessible location pointing to a target file that requires elevated privileges to read (e.g., C:\Windows\System32\config\SAM or other sensitive system files)
- The attacker initiates a file transfer operation through RustDesk, uploading the symbolic link
- The RustDesk service, running as SYSTEM, resolves the symbolic link and reads the target file contents
- The file contents are transmitted through the file transfer mechanism, allowing the attacker to access data they would not normally have permissions to read
This attack leverages the trust boundary violation where the high-privileged service improperly handles user-controlled symbolic links. For detailed technical information, refer to the Zero Day Initiative Advisory ZDI-26-117 and the GitHub Pull Request Discussion.
Detection Methods for CVE-2026-2490
Indicators of Compromise
- Unexpected symbolic link creation in user-accessible directories pointing to sensitive system files
- Unusual file transfer activity through RustDesk involving system directories or protected files
- RustDesk service accessing files outside of normal operational paths, particularly in C:\Windows\System32\config\ or similar protected locations
- Audit log entries showing symbolic link creation followed by RustDesk file transfer operations
Detection Strategies
- Enable Windows audit policies for object access to monitor symbolic link creation events
- Monitor RustDesk service file access patterns for attempts to read sensitive system files such as SAM, SYSTEM, or SECURITY registry hives
- Implement endpoint detection rules to alert on file transfer operations involving paths outside expected user directories
- Configure SentinelOne to detect suspicious link following behavior patterns in the RustDesk process
Monitoring Recommendations
- Enable detailed file system auditing on sensitive directories to track unauthorized access attempts
- Monitor for creation of symbolic links by non-administrative users in temporary or user profile directories
- Review RustDesk transfer logs for anomalous file access patterns or transfers of system files
- Implement behavioral analytics to detect privilege boundary violations through symlink manipulation
How to Mitigate CVE-2026-2490
Immediate Actions Required
- Review and restrict access to RustDesk installations on sensitive systems until a patch is applied
- Implement principle of least privilege by limiting which users can utilize the file transfer feature
- Monitor systems for indicators of exploitation as described in the detection section
- Consider temporarily disabling the RustDesk file transfer feature on high-value targets if operationally feasible
Patch Information
RustDesk has addressed this vulnerability. For patch details and the specific fix, refer to the GitHub Pull Request #13736 where the remediation was implemented. Organizations should update to the patched version of RustDesk Client for Windows as soon as possible.
Additional details about the vulnerability disclosure and timeline can be found in the Zero Day Initiative Advisory ZDI-26-117.
Workarounds
- Restrict RustDesk file transfer functionality through group policy or application configuration where possible
- Implement Windows security policies to restrict symbolic link creation for non-administrative users using SeCreateSymbolicLinkPrivilege
- Deploy application control solutions to prevent unauthorized use of RustDesk's file transfer capabilities
- Use network segmentation to limit RustDesk access on systems containing sensitive information
# Example: Restrict symbolic link creation privilege via security policy
# Run in an elevated PowerShell session to check current symbolic link privileges
whoami /priv | findstr SeCreateSymbolicLinkPrivilege
# Consider using Group Policy to restrict SeCreateSymbolicLinkPrivilege
# Path: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
# Setting: Create symbolic links - Remove standard users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
