CVE-2026-30789

CriticalPublic PoC

Published: 05 March 2026

Published

05 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated…

with program files src/client.Rs and program routines hash_password(), login proof construction. This issue affects RustDesk Client: through 1.4.5.

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Directly mitigates authentication bypass via session replay by requiring mechanisms to protect the authenticity of communications sessions, such as nonces or timestamps.

IA-5 Authenticator Management good match

prevent

Addresses use of password hash with insufficient computational effort by requiring authenticators to have sufficient strength and protection against unauthorized reuse or disclosure.

SC-8 Transmission Confidentiality and Integrity partial match

prevent

Mitigates capture-replay attacks by enforcing confidentiality and integrity protections on transmissions during client login and peer authentication.

Security SummaryAI

CVE-2026-30789 is an Authentication Bypass by Capture-replay and Use of Password Hash With Insufficient Computational Effort vulnerability in the rustdesk-client RustDesk Client. It affects client login and peer authentication modules on Windows, macOS, Linux, iOS, and Android platforms, allowing reusing session IDs (aka session replay). The issue is associated with program files src/client.rs and routines such as hash_password() and login proof construction. This vulnerability impacts RustDesk Client versions through 1.4.5 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWEs 294 and 916.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By capturing and replaying session data, adversaries can bypass authentication mechanisms, achieving high confidentiality, integrity, and availability impacts, such as unauthorized access to client sessions and peer connections.

Advisories providing details on mitigations and patches are available at the following references: https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub, https://rustdesk.com/docs/en/client/, and https://www.vulsec.org/.

Details

CWE(s): CWE-294 CWE-916

Affected Products

rustdesk

≤ 1.4.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The CVE describes a remote (AV:N), unauthenticated (PR:N), no-interaction (UI:N) authentication bypass vulnerability via session capture-replay in the RustDesk remote desktop client, directly enabling exploitation of public-facing applications (T1190) and remote services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub
Exploit, Third Party Advisory · 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
https://rustdesk.com/docs/en/client/
Product · 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe
https://www.vulsec.org/
Not Applicable · 2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe