CVE-2026-30790
Published: 05 March 2026
Summary
CVE-2026-30790 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Rustdesk Rustdesk Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces limits on consecutive unsuccessful logon attempts and account locking, preventing brute force attacks on peer and API authentication.
Requires secure management and protection of authenticators, including sufficient computational effort in password hashing to resist brute forcing of SHA256(SHA256(pwd+salt)+challenge).
Generates audit records for authentication events, including unsuccessful attempts, enabling detection of ongoing brute force activity.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's lack of rate limiting on authentication attempts and weak password hashing (SHA256(SHA256(pwd+salt)+challenge)) directly enables efficient online password guessing and brute forcing of credentials for peer authentication and API logins.
NVD Description
Improper Restriction of Excessive Authentication Attempts, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux (Peer authentication, API login modules), rustdesk-server RustDesk Server (OSS) rustdesk-server on Windows, MacOS, Linux (Peer…
more
authentication, API login modules) allows Password Brute Forcing. This vulnerability is associated with program files src/server/connection.Rs and program routines Salt/challenge generation, SHA256(SHA256(pwd+salt)+challenge) verification. This issue affects RustDesk Server Pro: through 1.7.5; RustDesk Server (OSS): through 1.1.15.
Deeper analysisAI
CVE-2026-30790 is an Improper Restriction of Excessive Authentication Attempts and Use of Password Hash With Insufficient Computational Effort vulnerability in RustDesk Server Pro (rustdesk-server-pro) versions through 1.7.5 and RustDesk Server OSS (rustdesk-server) versions through 1.1.15, affecting deployments on Windows, macOS, and Linux. The flaw impacts peer authentication and API login modules, specifically in program file src/server/connection.rs and routines for salt/challenge generation and SHA256(SHA256(pwd+salt)+challenge) verification, enabling password brute forcing. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-307 and CWE-916. The vulnerability was published on 2026-03-05.
A remote network attacker with no privileges or user interaction required can exploit this vulnerability due to the lack of rate limiting on authentication attempts and weak password hashing, allowing efficient brute forcing of credentials. Successful exploitation grants unauthorized access to the RustDesk server, potentially enabling full compromise with high impacts on confidentiality, integrity, and availability, such as remote code execution or persistent control over connected peers.
Advisories and further details on mitigation are available in the referenced publications, including a detailed report at https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub, the RustDesk GitHub repository at https://github.com/rustdesk, and Vulsec at https://www.vulsec.org/.
Details
- CWE(s)