CVE-2026-30789 Overview
CVE-2026-30789 is an Authentication Bypass vulnerability affecting RustDesk Client that allows attackers to perform session replay attacks. The vulnerability stems from improper authentication mechanisms in the client login and peer authentication modules, combined with the use of password hashing algorithms with insufficient computational effort. An attacker who can capture authentication traffic can replay session credentials to gain unauthorized access to remote desktop sessions.
Critical Impact
This vulnerability enables attackers to bypass authentication entirely by replaying captured session IDs, potentially granting full unauthorized access to remote desktop connections across all supported platforms including Windows, MacOS, Linux, iOS, and Android.
Affected Products
- RustDesk Client versions through 1.4.5 on Windows
- RustDesk Client versions through 1.4.5 on MacOS
- RustDesk Client versions through 1.4.5 on Linux
- RustDesk Client versions through 1.4.5 on iOS
- RustDesk Client versions through 1.4.5 on Android
Discovery Timeline
- 2026-03-05 - CVE-2026-30789 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-30789
Vulnerability Analysis
This vulnerability combines two distinct weaknesses that together enable authentication bypass. The first weakness (CWE-294) involves Authentication Bypass by Capture-replay, where the authentication mechanism fails to properly invalidate or protect session tokens from being reused. The second weakness involves the use of password hashing with insufficient computational effort, making it easier for attackers to work with captured authentication data.
The vulnerable code resides in src/client.rs, specifically within the hash_password() function and the login proof construction routines. The authentication flow does not implement adequate protections against replay attacks, such as cryptographic nonces, timestamps with appropriate validation windows, or challenge-response mechanisms that would prevent captured session data from being reused.
The network-based attack vector requires no user interaction and no prior privileges, making this vulnerability particularly dangerous in environments where network traffic can be intercepted. An attacker positioned to capture network traffic (such as on a shared network, through ARP spoofing, or via compromised network infrastructure) can record authentication exchanges and replay them to establish unauthorized remote desktop sessions.
Root Cause
The root cause of this vulnerability lies in the insufficient protection of the authentication mechanism in the RustDesk Client. The hash_password() function and associated login proof construction in src/client.rs do not incorporate adequate anti-replay measures. Without mechanisms like cryptographic nonces, properly validated timestamps, or sequence numbers, the system cannot distinguish between legitimate authentication attempts and replayed captured sessions.
Additionally, the password hashing implementation lacks sufficient computational effort, which compounds the issue by making the authentication tokens more susceptible to analysis and reuse. Proper authentication protocols should include freshness guarantees that invalidate captured credentials after use or after a short time window.
Attack Vector
The attack follows a capture-and-replay methodology. An attacker first positions themselves to intercept network traffic between a RustDesk client and server—this could be achieved through network-level attacks such as ARP spoofing, rogue access points, or compromised network infrastructure. Once in position, the attacker captures the authentication exchange, including the session ID and login proof construction.
The captured session data can then be replayed to the RustDesk server, which accepts it as a valid authentication attempt. Because the system does not verify the freshness of the authentication data or maintain state to detect duplicate sessions, the replayed credentials successfully authenticate the attacker, granting them full access to the remote desktop session.
For more technical details on this vulnerability, refer to the Google Docs Security Document and VulSec Security Resources.
Detection Methods for CVE-2026-30789
Indicators of Compromise
- Multiple authentication attempts using identical session tokens or login proofs within a short time window
- Authentication requests originating from different IP addresses using the same session credentials
- Unusual patterns in authentication traffic suggesting capture and replay, such as exact duplicate packets
- Geographic anomalies where the same session appears to originate from disparate locations
Detection Strategies
- Implement network traffic analysis to identify duplicate authentication packets with matching session identifiers
- Deploy SIEM rules to correlate authentication events and flag instances where identical credentials are used from different source addresses
- Monitor RustDesk server logs for authentication anomalies such as rapid sequential logins or logins that occur after a session has already been established
- Use network intrusion detection systems (IDS) to flag patterns consistent with session replay attacks
Monitoring Recommendations
- Enable detailed logging on RustDesk servers to capture full authentication context including timestamps, source addresses, and session identifiers
- Implement real-time alerting for authentication anomalies that could indicate replay attacks
- Deploy network monitoring at critical junctions to capture and analyze traffic to/from RustDesk services
- Consider implementing encrypted network segments or VPN tunnels for RustDesk traffic to prevent capture opportunities
How to Mitigate CVE-2026-30789
Immediate Actions Required
- Upgrade RustDesk Client to a version newer than 1.4.5 once a patch is available
- Implement network-level encryption (VPN, TLS tunnels) for all RustDesk traffic to prevent credential capture
- Restrict RustDesk usage to trusted network segments where traffic interception is less likely
- Review server logs for evidence of past exploitation and investigate any anomalous authentication patterns
Patch Information
Organizations should monitor the RustDesk Client Documentation for official security updates addressing this vulnerability. Until a patch is released, implement the recommended workarounds to reduce exposure. Given the critical nature of this authentication bypass, prioritize patch deployment immediately upon availability.
Workarounds
- Deploy RustDesk connections exclusively over VPN or other encrypted tunnels to prevent traffic interception
- Implement additional authentication layers such as network-level access controls or jump servers that require separate authentication
- Limit RustDesk server exposure by placing it behind firewalls that restrict access to known, trusted IP ranges
- Consider temporarily disabling RustDesk in high-security environments until a patch is available, using alternative remote access solutions with stronger authentication mechanisms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
