Potential Trust Issue in RustDesk by RustDesk Technologies
CVE-2024-25140

9.8CRITICAL

Key Information:

Vendor

Rustdesk

Status
Vendor
CVE Published:
6 February 2024

What is CVE-2024-25140?

A default installation of RustDesk version 1.2.3 on Windows includes a WDKTestCert certificate within the Trusted Root Certification Authorities that is intended for code signing. This certificate, valid until 2033, raises concerns especially given the lack of publicly documented security measures regarding the private key's protection. If this private key is compromised, it could allow unauthorized users to sign arbitrary software, creating significant security vulnerabilities. The vendor has noted the use of this test certificate as a workaround due to the absence of an Extended Validation (EV) certificate, with the user interface of RustDesk clearly indicating this installation step during the setup process.

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.