Understanding CVE-2025-68670: A Remote Code Execution Flaw in xrdp

During a routine security audit of Kaspersky USB Redirector—a module that extends the xrdp remote desktop server for Linux to allow access to local USB devices in remote sessions—researchers at Kaspersky uncovered a critical remote code execution (RCE) vulnerability in the xrdp server itself. Designated CVE-2025-68670, this flaw arises from a buffer overflow in the handling of client-supplied data during the Secure Settings Exchange phase of an RDP connection. Below, we answer key questions about this vulnerability, its discovery, impact, and remediation.

What is CVE-2025-68670 and why is it significant?

CVE-2025-68670 is a remote code execution vulnerability found in the xrdp server, an open-source implementation of the Remote Desktop Protocol (RDP) for Linux. The flaw allows an unauthenticated remote attacker to trigger a buffer overflow, potentially leading to arbitrary code execution on the target system. Its significance lies in xrdp's widespread use in thin client environments, such as Kaspersky Thin Client, where security is paramount. Exploitation could give an attacker full control over a server, compromising sensitive data and disrupting operations.

Understanding CVE-2025-68670: A Remote Code Execution Flaw in xrdp — Source: securelist.com

Which product led to the discovery of this vulnerability?

The vulnerability was discovered during a security audit of Kaspersky USB Redirector, a proprietary module that enhances xrdp by enabling redirection of local USB devices like flash drives, smart cards, and printers to remote desktop sessions. Kaspersky actively tests its own products for weaknesses, and this audit revealed the xrdp RCE flaw. The company promptly reported it to the xrdp project maintainers, demonstrating responsible disclosure.

How does the buffer overflow vulnerability in xrdp work?

The vulnerability occurs in the Secure Settings Exchange phase of an RDP connection, just before client authentication. The client sends a TS_INFO_PACKET containing fields like username, password, and domain as UTF-16 strings, each up to 512 bytes. The server uses the function ts_info_utf16_in to convert these to UTF-8 and store them in fixed-size buffers (e.g., char domain[INFO_CLIENT_MAX_CB_LEN] where the constant is 512). Although the function includes boundary checks, an off-by-one or incorrect size calculation can allow a malicious client to write beyond the buffer, leading to memory corruption. By crafting a specially crafted packet, an attacker can overwrite adjacent memory and achieve code execution.

What versions of xrdp are affected and how was it fixed?

The flaw affects xrdp versions prior to 0.10.5, as well as earlier branches. The xrdp maintainers acted swiftly after Kaspersky’s report: they fixed the vulnerability in version 0.10.5, backported the patch to versions 0.9.27 and 0.10.4.1, and published a security bulletin. Users should upgrade to these patched versions or apply the provided patches immediately.

What measures can users take to protect themselves from CVE-2025-68670?

To protect against CVE-2025-68670, administrators should:

Upgrade xrdp to version 0.10.5, 0.9.27, or 0.10.4.1 (whichever applies to their distribution).
If upgrade is not immediately possible, restrict network access to the xrdp server to trusted IP addresses only.
Monitor official xrdp security advisories for additional updates.
For Kaspersky Thin Client users, ensure Kaspersky USB Redirector is updated alongside the underlying xrdp.

Implementing defense-in-depth, such as using firewalls and intrusion detection systems, can also mitigate risk.

How did the xrdp project maintainers respond to the disclosure?

The xrdp maintainers responded promptly and professionally. After receiving Kaspersky’s detailed report, they developed a fix and released it in version 0.10.5. They also backported the patch to the stable 0.9.x and 0.10.4.x branches to ensure broad coverage. Additionally, they issued a security bulletin to alert users. This coordinated disclosure highlights the value of collaboration between security researchers and open-source projects.

Tags: