Cyber Resilience

CVE-2026-30789

CriticalPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30789 is a critical-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Rustdesk Rustdesk. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-30789 is an Authentication Bypass by Capture-replay and Use of Password Hash With Insufficient Computational Effort vulnerability in the rustdesk-client RustDesk Client. It affects client login and peer authentication modules on Windows, macOS, Linux, iOS, and Android platforms, allowing reusing session IDs (aka session replay). The issue is associated with program files src/client.rs and routines such as hash_password() and login proof construction. This vulnerability impacts RustDesk Client versions through 1.4.5 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWEs 294 and 916.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By capturing and replaying session data, adversaries can bypass authentication mechanisms, achieving high confidentiality, integrity, and availability impacts, such as unauthorized access to client sessions and peer connections.

Advisories providing details on mitigations and patches are available at the following references: https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub, https://rustdesk.com/docs/en/client/, and https://www.vulsec.org/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated…

more

with program files src/client.Rs and program routines hash_password(), login proof construction. This issue affects RustDesk Client: through 1.4.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The CVE describes a remote (AV:N), unauthenticated (PR:N), no-interaction (UI:N) authentication bypass vulnerability via session capture-replay in the RustDesk remote desktop client, directly enabling exploitation of public-facing applications (T1190) and remote services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30783Same product: Apple Iphone Os
CVE-2026-30792Same product: Apple Iphone Os
CVE-2026-30795Same product: Apple Iphone Os
CVE-2026-30798Same product: Apple Iphone Os
CVE-2026-30794Same product: Apple Iphone Os
CVE-2026-30793Same product: Apple Iphone Os
CVE-2026-30797Same product: Apple Iphone Os
CVE-2026-30791Same product: Apple Iphone Os
CVE-2026-3598Same product: Apple Macos
CVE-2026-30790Same product: Apple Macos

Affected Assets

rustdesk
rustdesk
≤ 1.4.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates authentication bypass via session replay by requiring mechanisms to protect the authenticity of communications sessions, such as nonces or timestamps.

prevent

Addresses use of password hash with insufficient computational effort by requiring authenticators to have sufficient strength and protection against unauthorized reuse or disclosure.

prevent

Mitigates capture-replay attacks by enforcing confidentiality and integrity protections on transmissions during client login and peer authentication.

References