External risk intelligence

RustDesk Client Password Interception and Offline Brute Forcing Vulnerability

CVE advisorySeverity: UNKNOWN

CVE-2026-30790

The vulnerability exists in the RustDesk Server Pro /api login endpoint. As an API service used for remote access management and authentication, this interface is typically exposed to the network to facilitate remote connectivity and client authentication, making it a common internet-facing service in many deployment scenarios.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the RustDesk client's login process could allow attackers to intercept credentials, potentially enabling unauthorized access to systems. The issue specifically affects the Server Pro API login over HTTP, bypassing standard security measures through an automatic certificate downgrade.

  • Login credentials can be intercepted and cracked offline.
  • This impacts remote access management and authentication.
  • Confirm relevance and exposure for affected systems.

Attack Path

How an attacker could exploit the issue

An attacker can intercept login attempts to the RustDesk Server Pro's API over an unencrypted channel. This allows them to capture credentials, which can then be used for offline brute-force attacks to gain unauthorized access.

  • Network access required.
  • Intercept API login over HTTP.
  • Compromised credentials and server access.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, the RustDesk Server Pro login over an HTTP management channel could be exposed. This allows for interception of login credentials, which can then be subjected to offline brute-forcing attacks.

  • User authentication credentials.
  • Interception of HTTP traffic.
  • Unauthorized access to the server.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects RustDesk Server Pro and its API login over HTTP, potentially exposing credentials through network interception. Responsibility likely lies with the platform or infrastructure teams managing the RustDesk deployment, in coordination with security teams for exposure assessment and vendor management for updates. The initial practical step is to identify all instances of RustDesk Server Pro, determine their network reachability and business criticality, and confirm the accountable owner before planning remediation based on risk.

  • Platform and security teams own this issue.
  • Verify network exposure and server reachability.
  • Plan targeted remediation based on risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the RustDesk Client and how is it used?

RustDesk Client is a cross-platform remote desktop application that enables users to connect to and control computers remotely. It relies on a server-based architecture to facilitate these connections, handling authentication and management tasks across Windows, macOS, Linux, iOS, and Android systems.

What is the vulnerability in CVE-2026-30790?

This vulnerability involves the 'Use of Password Hash With Insufficient Computational Effort' and 'Cleartext Transmission of Sensitive Information' (CWE-307 and CWE-916). Essentially, the software uses a weak, fast hashing method for login proofs on the API path. Because these proofs lack the complexity needed to resist modern hardware, an attacker who captures them can crack the password offline quickly.

How does an attacker trigger this vulnerability?

An attacker must be able to intercept the API login traffic sent to a RustDesk Server Pro instance over an insecure HTTP management channel. This bug specifically targets that API path; it does not trigger when using the standard peer-to-peer authentication channel, which uses robust encrypted sessions that verify the host public key before any authentication data is exchanged.

Is my RustDesk Server deployment at risk?

Halo Surface Signal indicates the vulnerability is in the /api login endpoint. Because this interface is often exposed to the network to support remote connectivity, instances accessible over the internet are at higher risk. You should determine if your specific Server Pro API management interface is reachable externally.

What should I do to protect my systems?

Start by identifying all deployed instances of RustDesk Server Pro and their network reachability. Coordinate with your infrastructure and security teams to prioritize hardening the access to the /api management interface. Verify if your configuration is utilizing affected pathways and prepare to apply updates as they are provided to address the underlying login security mechanisms.