CVE-2026-30795 is a vulnerability classified under CWE-319, indicating cleartext transmission of sensitive information. It affects the RustDesk Client, a remote desktop software, across all major operating systems including Windows, MacOS, Linux, iOS, and Android, specifically versions up to 1.4.5. The vulnerability is located in the heartbeat synchronization loop modules, particularly in the source file src/hbbs_http/sync.Rs, where the Heartbeat JSON payload is constructed. During this process, sensitive data such as preset address book passwords are transmitted in plaintext over the network. Because this data is not encrypted or otherwise protected, an attacker with network access can perform sniffing attacks to capture these credentials. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) reflects that the attack vector is network-based, with low attack complexity, no privileges or user interaction needed, and a high impact on confidentiality. No patches or fixes are currently linked, and no exploits have been reported in the wild, but the risk remains significant due to the nature of the exposed information and the widespread use of RustDesk Client for remote access.

The primary impact of this vulnerability is the compromise of sensitive credentials transmitted in cleartext, which can lead to unauthorized access to remote desktop sessions or internal networks. Organizations relying on RustDesk Client for remote management or collaboration risk exposure of address book passwords, potentially allowing attackers to impersonate legitimate users or pivot within the network. This can result in data breaches, lateral movement, and further exploitation of internal systems. Since the vulnerability affects multiple platforms, the scope is broad, impacting enterprises with diverse device ecosystems. The lack of required authentication or user interaction increases the likelihood of successful exploitation. Confidentiality is severely impacted, while integrity and availability are less directly affected. The absence of encryption in heartbeat sync communications undermines trust in the client’s security posture and may lead to regulatory compliance issues where sensitive data protection is mandated.

To mitigate this vulnerability, organizations should first verify if they are using RustDesk Client versions up to 1.4.5 and plan immediate upgrades once a patched version is released. Until a patch is available, network-level protections should be enforced, such as deploying VPNs or encrypted tunnels (e.g., TLS) to secure all RustDesk traffic and prevent sniffing. Network segmentation and strict firewall rules can limit exposure of heartbeat synchronization traffic to trusted segments only. Monitoring network traffic for unencrypted sensitive data transmissions can help detect potential exploitation attempts. Additionally, consider disabling or restricting the use of preset address book passwords or heartbeat synchronization features if feasible. Educating users about the risks of using outdated clients and enforcing strict endpoint security policies will further reduce risk. Vendors should be urged to release patches promptly and implement encryption for all sensitive communications in future releases.