CVE-2026-30789 is a critical vulnerability in the RustDesk Client, a popular remote desktop software used across multiple platforms including Windows, macOS, Linux, iOS, and Android. The flaw stems from an authentication bypass caused by capture-replay attacks, where attackers can reuse valid session IDs to gain unauthorized access. This is facilitated by the client’s use of password hashes with insufficient computational effort, making it easier to compromise authentication tokens. Specifically, the vulnerability involves the client’s login proof construction and the hash_password() routine, which do not adequately protect against replaying previously captured authentication data. The vulnerability affects all versions of RustDesk Client up to 1.4.5. Exploitation requires no user interaction, privileges, or authentication, and can be performed remotely over the network. This allows attackers to impersonate legitimate users, potentially gaining full access to remote desktop sessions and sensitive data. The CVSS 4.0 base score of 9.3 reflects the critical nature of this issue, highlighting high impact on confidentiality and integrity with no required attack complexity or privileges. Although no public exploits are reported yet, the vulnerability poses a significant risk to organizations using RustDesk for remote access, especially in environments where secure authentication is critical. The lack of patches at the time of reporting necessitates immediate mitigation efforts to reduce exposure.

The impact of CVE-2026-30789 is severe for organizations worldwide that use RustDesk Client for remote desktop access. Successful exploitation allows attackers to bypass authentication entirely by replaying captured session IDs, granting unauthorized access to remote systems. This can lead to data breaches, unauthorized control over critical infrastructure, lateral movement within networks, and potential deployment of malware or ransomware. Confidentiality is compromised as attackers can view sensitive information during remote sessions. Integrity is at risk because attackers can manipulate or alter data and system configurations. Availability could also be indirectly affected if attackers disrupt remote access services or deploy destructive payloads. The vulnerability’s ease of exploitation without any authentication or user interaction increases the likelihood of attacks, especially in environments with exposed RustDesk services. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable due to the sensitive nature of their remote access needs. The widespread multi-platform support of RustDesk expands the attack surface, affecting diverse environments and increasing the global risk profile.

Until an official patch is released, organizations should implement several specific mitigations to reduce risk. First, restrict RustDesk Client network access using firewalls or VPNs to trusted IP addresses only, minimizing exposure to untrusted networks. Enable network-level intrusion detection and prevention systems (IDS/IPS) to monitor for replay attack patterns or unusual session reuse. Employ multi-factor authentication (MFA) at the network or gateway level to add an additional layer of verification beyond the vulnerable client authentication. Regularly audit and monitor remote access logs for suspicious session activity or repeated session IDs. Consider temporarily disabling RustDesk Client usage in high-risk environments or replacing it with alternative remote access solutions with stronger authentication until patches are available. Educate users about the risk of session replay and encourage secure handling of session tokens. Once patches are released, prioritize immediate deployment across all affected platforms. Additionally, developers should review and enhance the client’s authentication mechanisms by implementing stronger password hashing algorithms with sufficient computational effort and incorporating anti-replay protections such as nonce or timestamp validation in session tokens.