Cyber Posture

CVE-2026-30790

CriticalPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer…

more

authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification. This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match
prevent

Directly enforces limits on consecutive unsuccessful logon attempts and account locking, preventing brute force attacks on peer and API authentication.

IA-5 Authenticator Management good match
prevent

Requires secure management and protection of authenticators, including sufficient computational effort in password hashing to resist brute forcing of SHA256(SHA256(pwd+salt)+challenge).

AU-12 Audit Record Generation partial match
detect

Generates audit records for authentication events, including unsuccessful attempts, enabling detection of ongoing brute force activity.

Security SummaryAI

CVE-2026-30790 is an Improper Restriction of Excessive Authentication Attempts and Use of Password Hash With Insufficient Computational Effort vulnerability in RustDesk Server Pro (rustdesk-server-pro) versions through 1.7.5 and RustDesk Server OSS (rustdesk-server) versions through 1.1.15, affecting deployments on Windows, macOS, and Linux. The flaw impacts peer authentication and API login modules, specifically in program file src/server/connection.rs and routines for salt/challenge generation and SHA256(SHA256(pwd+salt)+challenge) verification, enabling password brute forcing. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-307 and CWE-916. The vulnerability was published on 2026-03-05.

A remote network attacker with no privileges or user interaction required can exploit this vulnerability due to the lack of rate limiting on authentication attempts and weak password hashing, allowing efficient brute forcing of credentials. Successful exploitation grants unauthorized access to the RustDesk server, potentially enabling full compromise with high impacts on confidentiality, integrity, and availability, such as remote code execution or persistent control over connected peers.

Advisories and further details on mitigation are available in the referenced publications, including a detailed report at https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub, the RustDesk GitHub repository at https://github.com/rustdesk, and Vulsec at https://www.vulsec.org/.

Details

CWE(s)
CWE-307CWE-916

Affected Products

rustdesk
rustdesk server
≤ 1.7.5 · ≤ 1.1.15

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
attack.mitre.org →
Why these techniques?

The vulnerability's lack of rate limiting on authentication attempts and weak password hashing (SHA256(SHA256(pwd+salt)+challenge)) directly enables efficient online password guessing and brute forcing of credentials for peer authentication and API logins.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References