A remote attacker is able to execute arbitrary code on a device that has an Rsync server running. The client requires only anonymous read-access to the server, such as public mirrors.

Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as OpenPGP and SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.