External risk intelligence

RustDesk Client Session Replay Vulnerability.

CVE advisorySeverity: MEDIUM (CVSS 5.7)

CVE-2026-30789

RustDesk is a remote desktop access application designed for connecting to and controlling systems over a network. As a remote access tool, it is commonly deployed to be reachable over the internet or across network boundaries to facilitate remote administration and support, making the client authentication and peer connection modules frequently exposed to external network traffic.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the RustDesk client allows attackers to bypass authentication by reusing session information, potentially leading to unauthorized access. This issue affects the client's login and peer authentication modules across multiple operating systems. The primary concern is to confirm if this technology is in use and assess any potential exposure.

  • Session IDs can be reused for unauthorized access.
  • Understand if RustDesk is used in your environment.
  • Confirm relevance and exposure of this technology.

Attack Path

How an attacker could exploit the issue

An attacker could potentially reuse session IDs to bypass authentication in RustDesk Client. This allows an attacker to gain unauthorized access to the client's session without proper credentials. The vulnerability is associated with client login and peer authentication modules within the application.

  • No authentication required to initiate.
  • Replay captured session IDs.
  • Unauthorized access to user sessions.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to reuse existing session IDs, potentially bypassing authentication and gaining unauthorized access to system data or user sessions when the RustDesk client is accessible over a network.

  • System access and user sessions.
  • Replaying captured session credentials.
  • Unauthorized access to connected systems.

Operational Fix

Recommended remediation, mitigation, and detection steps

The RustDesk client is likely managed by teams responsible for endpoint security, application deployment, or IT support who grant remote access. The first practical step is to inventory all instances of the RustDesk client, identify critical or externally facing deployments, and confirm the ownership of each instance before planning remediation.

  • Ownership: Endpoint security or IT support teams.
  • Verify first: Client exposure and business criticality.
  • Action: Inventory, assess risk, and coordinate updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is RustDesk Client and how is it used?

RustDesk is an open-source remote desktop application that allows users to access and control computers from another device. It is widely used by IT teams and individuals for remote technical support, system administration, and file sharing across Windows, macOS, Linux, iOS, and Android platforms. The software enables connectivity between systems over a network, acting as a bridge between the host computer and the remote operator.

What does CWE-916 mean regarding CVE-2026-30789?

CWE-916 refers to the use of password hashes with insufficient computational effort, which often makes it easier for attackers to crack passwords. In the context of CVE-2026-30789, this weakness, combined with issues in login proof construction, allows for an authentication bypass. Specifically, the client fails to securely handle session identifiers, enabling attackers to perform a capture-replay attack where they reuse a captured session ID to impersonate a legitimate user without knowing their password.

How does an attacker trigger this authentication bypass?

An attacker triggers this vulnerability by capturing valid session information and replaying it to the RustDesk client to bypass the login or peer authentication process. Crucially, this does not require the attacker to possess the actual user credentials, such as a password. Simply having access to a previously used, valid session identifier is sufficient to trick the application into granting unauthorized access to the session.

Is my instance of RustDesk at risk?

According to Halo Surface Signal, RustDesk is often deployed to be reachable over the internet or across network boundaries to support remote access. Because the client login and peer authentication modules are designed for remote interaction, they are frequently exposed to external network traffic. If your instances are accessible over a network rather than restricted to a purely internal, isolated environment, they are more likely to be reachable by an unauthorized party.

What should I do if I use RustDesk?

The first step is to perform an inventory to identify every instance of the RustDesk client running in your environment. Prioritize locating installations that are accessible over the internet or used for critical remote support tasks. Once you have a clear list of these assets and confirm who owns them, coordinate with your IT or security team to assess the risk and prepare for the necessary software updates to address the session handling vulnerability.

References