CVE-2024-25140 – A default installation of RustDesk 1.2.3 on Win... (How to Fix)

Q: What is the severity of CVE-2024-25140?

CVE-2024-25140 has a CVSS score of 9.8 (CRITICAL). A default installation of RustDesk 1.2.3 on Windows automatically installs a test code signing certificate into the Trusted Root Certification Authorities store. This allows any software signed with the corresponding private key to be trusted by Windows, potentially enabling malware execution if the private key is compromised. All Windows users with default RustDesk 1.2.3 installations are affected.

📋 TL;DR

A default installation of RustDesk 1.2.3 on Windows automatically installs a test code signing certificate into the Trusted Root Certification Authorities store. This allows any software signed with the corresponding private key to be trusted by Windows, potentially enabling malware execution if the private key is compromised. All Windows users with default RustDesk 1.2.3 installations are affected.

💻 Affected Systems

Products:

RustDesk

Versions: 1.2.3

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations where certificate installation was accepted during setup (checked by default).

📦 What is this software?

Rustdesk by Rustdesk

View all CVEs affecting Rustdesk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain the private key and sign malicious executables that Windows trusts automatically, leading to widespread malware deployment, system compromise, and persistent backdoors.

🟠

Likely Case

Attackers could sign and distribute malware that bypasses Windows security warnings, increasing infection success rates for targeted attacks.

🟢

If Mitigated

With proper certificate management and monitoring, unauthorized signed software would be detected before execution, limiting impact to isolated incidents.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining the private key, which hasn't been publicly disclosed. Once obtained, signing malicious code is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/rustdesk/rustdesk/discussions/6444

Restart Required: No

Instructions:

No official patch exists. Remove the certificate manually and consider alternative remote desktop solutions.

🔧 Temporary Workarounds

Remove WDKTestCert from Trusted Root Store

windows

Manually delete the vulnerable certificate from Windows certificate store

certlm.msc (Run as Administrator)
Navigate to: Trusted Root Certification Authorities > Certificates
Find and delete certificate named 'WDKTestCert' issued by 'WDKTestCert'

Uninstall RustDesk 1.2.3

windows

Completely remove the vulnerable software version

Control Panel > Programs > Uninstall RustDesk

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of newly signed software
Monitor certificate store changes and alert on unexpected trusted certificate installations

🔍 How to Verify

Check if Vulnerable:

Open certlm.msc as Administrator, navigate to Trusted Root Certification Authorities > Certificates, check for certificate named 'WDKTestCert' issued by 'WDKTestCert'

Check Version:

Check RustDesk version in About dialog or Programs list

Verify Fix Applied:

Confirm the WDKTestCert certificate no longer appears in Trusted Root Certification Authorities store

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs: Certificate store modifications (Event ID 1000-1010 in CertificateServices-Client-Lifecycle-System)
Process creation events for newly signed executables

Network Indicators:

Network traffic from RustDesk processes to unusual destinations
Downloads of signed executables from unknown sources

SIEM Query:

EventID=1000 OR EventID=1001 OR EventID=1002 | where CertificateIssuerName contains "WDKTestCert"

📊 Metadata

CVE ID: CVE-2024-25140

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-295

Published: February 6, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/rustdesk/rustdesk/discussions/6444 Exploit,Issue Tracking
https://news.ycombinator.com/item?id=39256493 Issue Tracking
https://serverfault.com/questions/837994 Issue Tracking,Technical Description
https://github.com/rustdesk/rustdesk/discussions/6444 Exploit,Issue Tracking
https://news.ycombinator.com/item?id=39256493 Issue Tracking
https://serverfault.com/questions/837994 Issue Tracking,Technical Description

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25140, you might also want to check these: