Critical Flaws Discovered in RustDesk: Authorization Bypass, MITM and Session Replay Vulnerabilities Could Enable Remote System Takeover

Aegiron 15 mins0

RustDesk Client and Server

Product Overview

RustDesk is an open-source remote desktop application designed to provide secure remote administration capabilities across different operating systems including Windows, Linux, macOS, Android, and iOS. The platform is widely deployed by organizations and individuals who require remote technical support, infrastructure management, or system access across distributed networks.

The architecture of RustDesk primarily consists of the following components:

  • RustDesk Client – installed on endpoint systems to initiate or accept remote connections.
  • RustDesk Server Infrastructure – provides rendezvous services, relay communication, and connection coordination between clients.
  • Relay Server – assists in communication when direct peer-to-peer connectivity cannot be established.
  • ID Server – manages identity registration and lookup during remote session initiation.

Because the application allows full remote control of connected systems, weaknesses in authentication mechanisms, certificate validation routines, session handling logic, or configuration management may introduce serious security risks. If these mechanisms fail, attackers could intercept remote sessions, manipulate communications, bypass authentication protections, or obtain unauthorized access to remote systems.

Several vulnerabilities affecting RustDesk Client and Server implementations have been identified that expose the application to attacks including authorization bypass, certificate validation failure, cross-site request forgery, API manipulation through network interception, weak authentication design, and session replay attacks.

Successful exploitation of these issues may allow remote attackers to gain control of a system running RustDesk or interfere with ongoing remote sessions.

Vulnerability Summary

CVE IDAffected ComponentCVSS ScoreSeverityAttack VectorExploit Availability
CVE-2026-30797RustDesk Client9.3CriticalNetworkNo public exploit released
CVE-2026-30794RustDesk Client9.1CriticalNetworkMITM exploitation feasible
CVE-2026-30793RustDesk Client9.0CriticalRemoteNo public exploit released
CVE-2026-30792RustDesk Client9.2CriticalNetworkNetwork interception attack possible
CVE-2026-30790RustDesk Server9.1CriticalNetworkBrute-force attack possible
CVE-2026-30789RustDesk Client9.0CriticalNetworkReplay attack possible

CVE-2026-30797

Authorization Bypass via Configuration Import

Description

A critical authorization bypass vulnerability exists in the RustDesk Client configuration import functionality. The issue originates from insufficient validation within the configuration handling process used when importing configuration data through the application’s URI handling mechanism.

Configuration imports are intended to simplify client deployment by allowing predefined connection parameters, relay server addresses, and authentication settings to be imported automatically. However, the input validation performed during this import process is insufficient.

When configuration parameters are processed, trust boundaries are not properly enforced. As a result, configuration data originating from untrusted sources may be accepted and applied without verifying whether the request is authorized.

If a malicious configuration payload is delivered through the RustDesk URI scheme handler or injected through manipulated network traffic, the application may import attacker-controlled parameters that modify the client’s behavior.

This condition may result in unauthorized redirection of client communication to attacker-controlled infrastructure.

Affected Components

  • RustDesk Client
  • Desktop platforms and mobile clients may be impacted depending on version.

Impact

Successful exploitation could allow an attacker to:

  • Redirect the client to malicious relay servers
  • Override security parameters
  • Modify authentication settings
  • Establish unauthorized remote sessions
  • Manipulate trusted connection lists

Because RustDesk allows full remote control once a session is established, exploitation could ultimately lead to complete system compromise.

Exploitation Scenario

In a realistic attack scenario, the following chain of events may occur:

  1. The attacker gains network access within the same environment as the victim.
  2. Configuration import traffic or URI handling mechanisms are targeted.
  3. A specially crafted configuration payload is delivered to the client.
  4. The client automatically processes the payload.
  5. Security parameters are replaced with attacker-controlled values.

Once the configuration is modified, the attacker may redirect the client to connect through malicious relay infrastructure where remote sessions can be intercepted or controlled.

Proof-of-Concept (Educational)

A basic demonstration payload illustrating how configuration injection could be triggered through the URI handler is shown below.

rustdesk://config/import?relay=malicious-relay.example&key=attacker_key&trusted=true

If the client processes the URI without validation, the configuration may be imported automatically.

This example is provided for educational testing and defensive research purposes only.

MITRE ATT&CK Mapping

TechniqueID
Exploit Public Facing ApplicationT1190
Adversary-in-the-MiddleT1557
Modify Authentication ProcessT1556
Impair DefensesT1562

Indicators of Compromise

Possible signs of exploitation include:

  • Unexpected changes to RustDesk configuration files
  • Relay server addresses replaced with unknown infrastructure
  • Sudden outbound connections to unfamiliar IP addresses
  • Unauthorized remote sessions appearing in logs
  • Configuration imports occurring without administrator action

Detection

Log Sources

Detection may rely on the following data sources:

  • Endpoint application logs
  • EDR telemetry
  • Network firewall logs
  • DNS monitoring systems
  • Proxy logs
  • RustDesk client logs

Splunk Query

index=endpoint_logs sourcetype=rustdesk
("config" AND "import")
| stats count by host user command

Elastic Query

event.dataset:rustdesk AND message:*config*import*

KQL Query

DeviceProcessEvents
| where ProcessCommandLine contains "rustdesk"
| where ProcessCommandLine contains "config"

Suricata Rule

alert http any any -> any any (
msg:"RustDesk Suspicious Configuration Import";
content:"rustdesk://config/import";
nocase;
sid:210001;
rev:1;
)

Mitigation

The following defensive measures should be implemented:

  • Disable automatic configuration imports where not required
  • Restrict URI scheme execution using endpoint security policies
  • Monitor outbound connections to relay infrastructure
  • Validate configuration integrity using endpoint monitoring
  • Restrict network access to trusted relay servers

Official Patch

RustDesk has released updated versions addressing this issue.

Official upgrade location:

https://github.com/rustdesk/rustdesk/releases

CVE-2026-30794

Improper Certificate Validation Enabling Man-in-the-Middle

Description

A flaw has been identified in the TLS certificate validation logic used by RustDesk during secure communication between client and server components.

The validation mechanism responsible for verifying server certificates does not enforce strict trust verification under certain conditions. Because certificate authenticity is not adequately confirmed, malicious certificates may be accepted during the TLS handshake process.

When this occurs, encrypted sessions may be established with an attacker rather than the legitimate RustDesk server.

Impact

If exploited, the following outcomes may occur:

  • Remote session interception
  • Credential theft
  • Remote command injection
  • Remote session hijacking
  • Manipulation of session traffic

Attackers positioned within the network path may intercept RustDesk communications and impersonate trusted servers.

Exploitation Scenario

  1. A malicious actor gains network access within the victim’s environment.
  2. Network traffic between the RustDesk client and server is intercepted.
  3. A fraudulent TLS certificate is presented to the client.
  4. The client fails to reject the certificate.
  5. Secure communication is established with the attacker.

This condition allows full visibility into remote session traffic.

Detection

Log Sources

  • TLS inspection appliances
  • Firewall logs
  • Network IDS
  • Endpoint network monitoring
  • RustDesk client logs

Splunk Query

index=network_logs
("rustdesk" AND "tls")
| stats count by src_ip dest_ip certificate_issuer

Elastic Query

network.protocol:tls AND process.name:rustdesk

KQL Query

DeviceNetworkEvents
| where InitiatingProcessFileName == "rustdesk.exe"
| where RemotePort == 21117

Suricata Rule

alert tls any any -> any any (
msg:"Possible RustDesk MITM TLS Interception";
tls.cert_subject;
sid:210002;
rev:1;
)

Official Patch

https://github.com/rustdesk/rustdesk/releases

CVE-2026-30793

Cross-Site Request Forgery Privilege Escalation

Description

A cross-site request forgery vulnerability has been identified within the RustDesk client interface responsible for handling privileged API operations.

Insufficient validation of request origin allows unauthorized requests to be submitted on behalf of an authenticated user. When a user with elevated privileges interacts with a malicious webpage, the page may issue hidden requests targeting RustDesk APIs running locally.

These requests may trigger configuration changes or privileged actions without user awareness.

Potential Impact

  • Privileged configuration changes
  • Unauthorized session approvals
  • Changes to remote connection settings
  • Activation of remote access permissions

Detection

Log Sources

  • Browser logs
  • API server logs
  • Endpoint monitoring
  • Web security gateways

Splunk Query

index=api_logs
method=POST
| stats count by src_ip uri

Elastic Query

http.request.method:POST AND process.name:rustdesk

KQL Query

DeviceNetworkEvents
| where InitiatingProcessFileName == "browser.exe"
| where RemotePort == 21116

Official Patch

https://github.com/rustdesk/rustdesk/releases

CVE-2026-30792

API Message Manipulation via Man-in-the-Middle

Description

A weakness in the API message integrity validation process allows network attackers to modify messages exchanged between RustDesk components.

Session control messages and authentication data may be intercepted and altered before reaching their intended destination.

Impact

  • Command injection into active sessions
  • Session parameter manipulation
  • Forced connection termination
  • Unauthorized session creation

Detection

Splunk Query

index=network_logs
("rustdesk" AND "session")
| stats count by src_ip dest_ip

Elastic Query

network.protocol:tcp AND process.name:rustdesk

KQL Query

DeviceNetworkEvents
| where InitiatingProcessFileName contains "rustdesk"

Official Patch

https://github.com/rustdesk/rustdesk/releases

CVE-2026-30790

Weak Authentication Mechanism

Description

A weakness in the authentication design of RustDesk Server allows attackers to perform brute-force attacks against authentication credentials.

The challenge-response handshake relies on parameters controlled by the server, which reduces entropy and makes it easier to guess authentication tokens through repeated attempts.

Impact

Attackers may be able to:

  • Guess authentication credentials
  • Access protected sessions
  • Perform unauthorized administrative actions

Detection

Splunk Query

index=auth_logs
("login failed" OR "authentication failure")
| stats count by src_ip

Elastic Query

event.category:authentication AND event.outcome:failure

KQL Query

SigninLogs
| where ResultType != 0
| summarize count() by IPAddress

Official Patch

https://github.com/rustdesk/rustdesk/releases

CVE-2026-30789

Session Replay Authentication Bypass

Description

A session replay vulnerability exists within the authentication process of RustDesk Client. Session tokens used during authentication may remain valid for longer than intended or may not be properly invalidated.

If authentication traffic is captured, the session token may be replayed to bypass login protections.

Impact

  • Unauthorized remote session access
  • Authentication bypass
  • Session hijacking

Detection

Splunk Query

index=session_logs
| stats count by session_id src_ip

Elastic Query

event.dataset:session AND event.action:login

KQL Query

DeviceLogonEvents
| summarize count() by AccountName, DeviceName

Official Patch

https://github.com/rustdesk/rustdesk/releases

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.