7 Critical Insights into CVE-2025-68670: The xrdp Remote Code Execution Vulnerability

When security researchers at Kaspersky audited the company's own USB Redirector utility last year, they stumbled upon a severe vulnerability in the underlying xrdp remote desktop server. This flaw, now tracked as CVE-2025-68670, could allow an attacker to execute arbitrary code on a target system—without needing valid credentials. The issue was responsibly disclosed, quickly patched, and now serves as a stark reminder of how even well-tested protocols can harbor dangerous assumptions. In this article, we break down the seven most important aspects of this vulnerability, from its discovery to the technical root cause and the fixes that keep users safe.

1. The Discovery: How Kaspersky Found the Flaw

Kaspersky regularly performs security audits on its own software, and the USB Redirector module—which extends the capabilities of xrdp for thin clients—was no exception. During a routine audit in 2024, researchers examined how the xrdp server handles incoming data during the RDP connection setup. Specifically, they focused on the Secure Settings Exchange phase, which occurs just before client authentication. It was here that they identified a buffer overflow condition that could be triggered remotely. The research team immediately reported their findings to the xrdp project maintainers, who acted swiftly. The vulnerability was assigned CVE-2025-68670 and patched in version 0.10.5, with backports to 0.9.27 and 0.10.4.1.

7 Critical Insights into CVE-2025-68670: The xrdp Remote Code Execution Vulnerability — Source: securelist.com

2. The Target: xrdp and Kaspersky USB Redirector in the Wild

xrdp is a popular open-source implementation of the Remote Desktop Protocol (RDP) on Linux, used in countless enterprise environments to provide remote access to desktops and applications. Kaspersky USB Redirector is a commercial add-on that sits on top of xrdp, enabling thin clients to access local USB devices—like flash drives, smart card readers, tokens, and printers—inside a remote session. This combination is especially common in organizations that rely on Kaspersky Thin Client OS. While USB Redirector adds valuable functionality, it also revealed a deep-seated vulnerability in the core xrdp server itself, meaning any system running an unpatched xrdp could be at risk, regardless of whether USB Redirector is installed.

3. The Dangerous Phase: Secure Settings Exchange in RDP

An RDP connection does not happen all at once; it follows a multi-stage handshake. The most critical stage for CVE-2025-68670 is the Secure Settings Exchange, which occurs immediately before authentication. At this point, the client sends sensitive credential data to the server inside a structure called the Client Info PDU (Protocol Data Unit). This packet contains fields like username, password, domain, program path, and working directory, all encoded as Unicode strings. The vulnerability arises because the server's code assumes these strings will fit within fixed-size buffers—an assumption that can be broken with a specially crafted packet.

4. Inside the TS_INFO_PACKET: How Credentials Flow

The client bundles credentials into a structure named TS_INFO_PACKET, which in xrdp's source code corresponds to the xrdp_client_info struct. This struct contains fixed-size character arrays for fields like username, password, domain, program, and directory. Each array has a maximum length defined by the constant INFO_CLIENT_MAX_CB_LEN, which is 512 bytes. The fields are meant to hold null-terminated Unicode strings, but the server converts them from UTF-16 to UTF-8 before storage. The conversion function, ts_info_utf16_in, is supposed to prevent overflows by checking buffer sizes—however, the check can be bypassed under specific conditions related to the null terminator placement.

5. The Unicode Trap: UTF-16 to UTF-8 Conversion

When the client sends data over the wire, it uses UTF-16 encoding, where each character takes two bytes. The xrdp server then converts this UTF-16 data to UTF-8 before copying it into the fixed-size buffers described above. The conversion function, ts_info_utf16_in, receives the source byte count, the destination buffer, and the destination buffer size. It includes a safety check (s_check_rem_and_log) to ensure the source data fits. However, the subtle bug lies in how the function calculates the required space for the UTF-8 output. Because UTF-8 can expand a character from 2 bytes to up to 4 bytes, the conversion can exceed the destination buffer even when the source seems within limits—especially if the input lacks a proper null terminator or uses oversized Unicode characters.

6. The Buffer Overflow: Exploiting a Missing Null

The crux of CVE-2025-68670 is a classic buffer overflow. The xrdp server expects each field in the Client Info PDU to end with a null terminator (two bytes in UTF-16). However, if the attacker omits the null terminator or sends a payload where the field length is exactly 512 bytes, the conversion routine may read past the intended end of the field and write additional data into adjacent memory. This overflow can overwrite call stack data, leading to remote code execution. Because the vulnerability occurs before authentication, an attacker needs no valid credentials—only network access to the RDP port (default 3389). This makes it an especially dangerous pre-authentication exploit.

7. The Fix and What You Should Do

The xrdp project maintainers responded admirably: they released patched versions 0.10.5, 0.9.27, and 0.10.4.1. The fix involves stricter validation of the incoming UTF-16 data, ensuring that the conversion cannot overflow the destination buffers even in edge cases. Additionally, the team issued a security bulletin urging all users to upgrade immediately. To protect your systems, take the following actions:

Update xrdp to the patched version for your distribution.
Restrict RDP access to trusted networks only, ideally via VPN or firewalls.
Enable logging and monitoring for unusual RDP connection attempts.
Consider using an RDP gateway or reverse proxy to add an authentication layer before the actual xrdp server.

If you use Kaspersky Thin Client or USB Redirector, ensure that the underlying xrdp package is also updated, as the vulnerability affects xrdp directly, not the add-on module.

Conclusion: A Wake-Up Call for Protocol Security

CVE-2025-68670 is a textbook example of how assumptions about data encoding and null terminators can lead to critical memory corruption bugs. The fact that it was discovered during an audit of an associated product—Kaspersky USB Redirector—highlights the importance of looking beyond surface-level functionality when assessing security. For administrators, the incident reinforces the need to keep all components of remote desktop solutions up to date, even those considered stable for years. Thanks to responsible disclosure and swift patching, the xrdp community can now sleep a little easier. But this vulnerability should also serve as a reminder that the RDP protocol, while powerful, demands rigorous input validation on every packet it receives.