CVE-2024-25140 concerns a critical security vulnerability in RustDesk version 1.2.3 on Windows platforms. During a default installation, RustDesk places a WDKTestCert certificate into the Trusted Root Certification Authorities store. This certificate is intended for code signing (Enhanced Key Usage OID 1.3.6.1.5.5.7.3.3) and is valid for a long period (2023–2033). However, this certificate is a test certificate, not a production Extended Validation (EV) certificate, and there is no public documentation regarding the protection or management of its private key. The vendor admits to using this test certificate as a workaround due to the absence of an EV certificate. Because the certificate is trusted at the root level, any software signed with the corresponding private key will be implicitly trusted by Windows systems. If an attacker obtains the private key, they could sign malicious code that would bypass security controls such as Windows Defender SmartScreen and other code integrity checks. The installation step that adds the certificate is visible in the UI and checked by default, but users may overlook this. The vulnerability requires no privileges or user interaction to exploit, and the scope is universal across all Windows systems running this RustDesk version. The CVSS 3.1 score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with ease of exploitation and broad scope. This vulnerability falls under CWE-295 (Improper Certificate Validation). No patches or mitigations have been officially released at the time of publication.

The impact of CVE-2024-25140 is severe for organizations worldwide using RustDesk 1.2.3 on Windows. By installing a test root certificate with code signing capabilities, the system implicitly trusts any code signed with the associated private key. If the private key is compromised or leaked, attackers can sign malware or backdoored software that will be trusted by the operating system, bypassing security mechanisms such as application whitelisting, antivirus, and endpoint detection and response (EDR) solutions. This undermines the integrity and authenticity of software running on affected systems, potentially leading to widespread malware deployment, supply chain attacks, and persistent compromise. Confidentiality is at risk as attackers could deploy spyware or ransomware signed with the trusted certificate. Availability could also be impacted if destructive payloads are signed and executed. The vulnerability requires no user interaction or privileges, increasing the likelihood of exploitation. Although no known exploits are reported in the wild yet, the high severity and ease of exploitation make this a critical risk for enterprises, government agencies, and critical infrastructure operators relying on RustDesk for remote desktop functionality.

Organizations should immediately audit their Windows systems for the presence of the WDKTestCert certificate in the Trusted Root Certification Authorities store. If found, remove the certificate to eliminate implicit trust. Until an official patch or updated RustDesk version is released, consider uninstalling RustDesk 1.2.3 or blocking its installation via endpoint management tools. Monitor for updates from the RustDesk vendor regarding a fix or replacement certificate with proper private key security. Employ application control policies that restrict execution of unsigned or untrusted code, even if signed by trusted certificates. Implement network segmentation and monitoring to detect anomalous code execution or lateral movement. Educate users to carefully review installation prompts and certificate warnings. For organizations requiring remote desktop functionality, evaluate alternative solutions with verified certificate management practices. Finally, maintain robust incident response capabilities to quickly address any compromise resulting from this vulnerability.