CVE-2026-3598 identifies a critical vulnerability in RustDesk Server Pro, a remote desktop server solution, affecting versions through 1.7.5 across Windows, MacOS, and Linux platforms. The root cause is the use of broken or risky cryptographic algorithms (CWE-327) within the configuration string generation and web console export modules. These cryptographic weaknesses allow attackers to retrieve embedded sensitive data, such as configuration secrets or credentials, without requiring authentication or user interaction. The vulnerability is linked to program routines responsible for exporting or generating configuration data, which are inadequately protected due to weak cryptographic practices. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and high confidentiality impact with no integrity or availability impact. Although no exploits have been observed in the wild, the vulnerability poses a significant risk to confidentiality and could facilitate further attacks if leveraged. The issue is documented under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-684 (Incorrect Control Flow Implementation), highlighting both cryptographic and logic flaws. The vulnerability was published on March 5, 2026, by VULSec and affects all supported operating systems for RustDesk Server Pro. No patches or fixes are currently linked, emphasizing the need for immediate attention from users and administrators.

The primary impact of CVE-2026-3598 is the unauthorized disclosure of sensitive embedded data within RustDesk Server Pro configurations. This can lead to exposure of credentials, encryption keys, or other confidential information critical to the secure operation of remote desktop services. Such data leakage can enable attackers to escalate privileges, move laterally within networks, or compromise additional systems. Since the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, it significantly increases the attack surface. Organizations relying on RustDesk Server Pro for remote access, especially those in sectors handling sensitive data (e.g., finance, healthcare, government), face heightened risks of data breaches and operational disruption. The lack of integrity or availability impact means the service may continue running normally while leaking data, making detection more difficult. The widespread use of RustDesk Server Pro across multiple operating systems further broadens the scope of affected systems globally.

To mitigate CVE-2026-3598, organizations should immediately assess their RustDesk Server Pro deployments and prioritize upgrading to a version where this vulnerability is resolved once available. In the absence of an official patch, administrators should consider the following specific actions: 1) Disable or restrict access to configuration export and generation functionalities, especially the web console export modules, limiting exposure to trusted networks or IP addresses only. 2) Implement network-level controls such as firewall rules and VPNs to restrict access to RustDesk Server Pro management interfaces. 3) Monitor logs and network traffic for unusual access patterns or data exfiltration attempts related to configuration exports. 4) Review and rotate any credentials or keys that may have been exposed due to this vulnerability. 5) Engage with the RustDesk vendor or community for updates and recommended secure configurations. 6) Consider deploying additional encryption layers or secrets management solutions external to RustDesk to protect sensitive data. These targeted mitigations go beyond generic advice by focusing on limiting the vulnerable functionality's exposure and enhancing monitoring to detect exploitation attempts.