7 Critical Facts About the xrdp RCE Vulnerability (CVE-2025-68670)
Introduction
In the world of remote desktop solutions, xrdp is a widely used open-source server for Linux that provides a graphical login to remote machines. However, a recent security audit by Kaspersky’s team on their USB Redirector module — an add-on for Kaspersky Thin Client — uncovered a critical remote code execution (RCE) vulnerability in the xrdp server itself. Tracked as CVE-2025-68670, this flaw could allow an attacker to execute arbitrary code on a vulnerable system before authentication. The xrdp maintainers acted swiftly, releasing patches in versions 0.10.5, 0.9.27, and 0.10.4.1. Here are seven things you need to know to understand and mitigate this threat.
1. The Vulnerability Originates from the Client-Server Settings Exchange
The RDP connection process involves multiple stages where the client and server negotiate capabilities. One critical phase is the Secure Settings Exchange, occurring just before user authentication. During this phase, the client sends a Client Info PDU containing sensitive data such as username, password, domain, and auto-reconnect cookies. These pieces are packaged into a TS_INFO_PACKET structure. The xrdp server stores this information in an internal xrdp_client_info structure, with fields like username, password, and domain each limited to 512 bytes (defined by INFO_CLIENT_MAX_CB_LEN). The vulnerability specifically lies in how the server handles incoming Unicode strings during this exchange.
2. The Buffer Size Seems Safe — But the Conversion Creates a Trap
Although the buffer limit (512 bytes) appears straightforward, the actual hazard emerges from the encoding conversion. The client transmits data using UTF-16 encoding (two bytes per code unit), while the server converts it to UTF-8 (one to four bytes per code point) before storing. The conversion function, ts_info_utf16_in, receives the source byte count and the destination buffer length. However, the implementation fails to account for the maximum expansion factor — UTF-8 can increase the size up to four times compared to the original UTF-16 string. As a result, a carefully crafted packet with a long Unicode string can overflow the fixed-size destination buffer, leading to memory corruption.
3. The Flaw Resides in the ts_info_utf16_in Function
This function is responsible for copying UTF-16 data from the incoming stream into a UTF-8 buffer. It checks that src_bytes + 2 bytes are available in the stream, but it does not verify that the resulting UTF-8 output will fit within dst_len. The code passes the buffer length (sizeof(xrdp_client_info.domain) = 512) as dst_len. During conversion, each UTF-16 character may become up to 3 UTF-8 bytes (for BMP characters) or 4 bytes (for supplementary characters). Without proper bounds checking, an attacker can send a payload that writes beyond the allocated array, potentially altering adjacent memory fields like program or directory, or even overwriting critical function pointers.
4. Exploitation Requires No Authentication
Because the vulnerable code path runs before the client is authenticated, an attacker does not need valid credentials to trigger the overflow. They simply need network access to a target xrdp server. By crafting a malicious Client Info PDU with an excessively large domain name (or other string fields) in UTF-16 format, they can cause a heap- or stack-based buffer overflow (depending on the platform and compiler). This pre-authentication access makes the vulnerability particularly dangerous, as it can be weaponized remotely to gain initial foothold in an environment.
5. The Patch Closes the Gap with Proper Size Checks
The xrdp development team responded quickly to Kaspersky’s disclosure. In version 0.10.5, they modified the ts_info_utf16_in function to calculate the maximum possible UTF-8 output size before conversion. The fix ensures that if the converted data would exceed the destination buffer, the operation is halted and an error is returned. Additionally, they backported the patch to older stable branches: 0.9.27 and 0.10.4.1. Administrators are strongly advised to upgrade to these patched versions immediately.
6. All xrdp Deployments Are Potentially at Risk
While the vulnerability was discovered through Kaspersky’s USB Redirector module, the flaw exists in the core xrdp code and affects all xrdp servers, regardless of whether the USB Redirector is installed. This includes standalone xrdp installations, Linux terminal servers, and thin client environments. The Kaspersky Thin Client OS is not inherently vulnerable, but any system running xrdp without the latest patches is at risk. Organizations using xrdp for remote access should prioritize updating their servers.
7. Immediate Steps to Protect Your Environment
To mitigate the threat from CVE-2025-68670, follow these recommendations:
- Upgrade xrdp to version 0.10.5, 0.9.27, or 0.10.4.1 (or later).
- Restrict network access to xrdp ports (default 3389) using firewalls or VPNs.
- Monitor logs for unusual connection attempts or crashes.
- Apply defense-in-depth measures such as intrusion detection systems and regular vulnerability scanning.
If immediate patching is not possible, consider disabling the RDP service temporarily or placing it behind a secure gateway.
Conclusion
The discovery of CVE-2025-68670 underscores the importance of continuous security assessments in open-source software. A simple encoding conversion oversight led to a critical RCE vulnerability that could be exploited before authentication. Thanks to the coordinated disclosure between Kaspersky and the xrdp team, patches are now available. System administrators must act quickly to apply these updates and review their remote access security posture. Staying informed and proactive is the best defense against such threats.
Related Articles
- 7 Ways Your Browser Is Circumventing Your DLP (And How to Stop It)
- GRU Hackers Hijack Thousands of Routers in Massive Token Theft Operation
- 6 Key Insights into the Silver Fox Cyberattack Campaign Using the Novel ABCDoor Backdoor
- 10 Critical Facts About the GitHub RCE Bug That Exposed Millions
- UK Cybercriminal Tyler Buchanan Admits Role in Scattered Spider Phishing Attacks
- Beyond the Endpoint: Essential Data Sources for Comprehensive Threat Detection
- The New Mexico Showdown: 10 Key Details Behind Meta’s App Pull Threat
- Massive Cyberattack Paralyzes Canvas Platform as Students Face Final Exams – Millions of Records Exposed