CVE-2026-30795 Overview
CVE-2026-30795 is a Cleartext Transmission of Sensitive Information vulnerability affecting the RustDesk Client across multiple platforms including Windows, MacOS, Linux, iOS, and Android. The vulnerability exists within the Heartbeat sync loop modules, specifically in the src/hbbs_http/sync.rs file and the Heartbeat JSON payload construction routines that handle preset-address-book-password data. This flaw enables attackers to conduct sniffing attacks to intercept sensitive information transmitted in plaintext over the network.
Critical Impact
Sensitive credentials including preset address book passwords can be intercepted by network attackers, potentially compromising remote desktop sessions and associated infrastructure.
Affected Products
- RustDesk Client through version 1.4.5 on Windows
- RustDesk Client through version 1.4.5 on MacOS
- RustDesk Client through version 1.4.5 on Linux
- RustDesk Client through version 1.4.5 on iOS
- RustDesk Client through version 1.4.5 on Android
Discovery Timeline
- 2026-03-05 - CVE-2026-30795 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-30795
Vulnerability Analysis
This vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information), which occurs when software transmits sensitive data across a network channel without encryption. In the context of RustDesk Client, the heartbeat synchronization mechanism responsible for maintaining connection state and synchronizing address book data fails to properly encrypt sensitive payload information before transmission.
The vulnerability is particularly concerning because it affects the heartbeat JSON payload construction that includes preset-address-book-password values. These passwords are used to protect address book entries and access configurations within the RustDesk ecosystem. When transmitted in cleartext, any attacker positioned on the network path between the client and server can passively capture these credentials.
The network-based attack vector requires no authentication or user interaction, making exploitation straightforward for attackers with network access. This could include attackers on the same local network, compromised network infrastructure, or man-in-the-middle positions.
Root Cause
The root cause lies in the implementation within src/hbbs_http/sync.rs, where the Heartbeat JSON payload construction routine does not apply encryption to the preset-address-book-password field before network transmission. This represents a fundamental design flaw where sensitive authentication data is handled without appropriate cryptographic protection during the synchronization process.
Attack Vector
The attack vector is network-based, allowing remote attackers to intercept sensitive information without requiring any privileges on the target system. An attacker can exploit this vulnerability through passive network sniffing by positioning themselves on the network path between the RustDesk client and its communication endpoint.
The attack methodology involves capturing network traffic during the heartbeat synchronization cycle, parsing the cleartext JSON payloads, and extracting the preset-address-book-password values. This can be accomplished using common network analysis tools on shared network segments, compromised routers, or through ARP spoofing on local networks.
Detection Methods for CVE-2026-30795
Indicators of Compromise
- Unencrypted HTTP traffic containing JSON payloads with preset-address-book-password fields originating from RustDesk client processes
- Network captures showing plaintext heartbeat synchronization traffic to RustDesk server endpoints
- Suspicious network reconnaissance activity targeting RustDesk communication ports
Detection Strategies
- Deploy network traffic analysis tools to monitor for cleartext transmission of sensitive data patterns associated with RustDesk heartbeat traffic
- Implement deep packet inspection rules to alert on JSON payloads containing preset-address-book-password in unencrypted streams
- Monitor endpoint processes for RustDesk client versions 1.4.5 and below across the enterprise
Monitoring Recommendations
- Enable network flow logging and analyze traffic patterns for RustDesk client communications
- Configure SIEM rules to correlate RustDesk network activity with potential credential harvesting indicators
- Audit network segments where RustDesk clients operate to identify potential sniffing attack vectors
How to Mitigate CVE-2026-30795
Immediate Actions Required
- Upgrade RustDesk Client to a version newer than 1.4.5 once a patched release becomes available
- Implement network segmentation to isolate RustDesk client traffic from untrusted network segments
- Deploy VPN or encrypted tunnels for RustDesk communications as an interim protection measure
- Rotate any preset-address-book-password credentials that may have been exposed
Patch Information
Organizations should monitor the RustDesk GitHub repository for security updates addressing this vulnerability. Additional technical details about the vulnerability can be found in the security research documentation. Further security resources are available at Vulsec.
Workarounds
- Force all RustDesk client traffic through an encrypted VPN tunnel to prevent network-level interception
- Implement network access controls to restrict which systems can communicate with RustDesk clients
- Disable the preset address book feature if not operationally required until a patch is available
- Deploy network intrusion detection systems to alert on potential sniffing activity targeting RustDesk traffic
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
