Skip to content
.ca
sign in
4 mincritical

CVE-2025-68670: discovering an RCE vulnerability in xrdp

Kaspersky researchers discovered CVE-2025-68670, a pre-authentication Remote Code Execution (RCE) vulnerability in the xrdp server for Linux. The flaw stems from a stack buffer overflow in the xrdpwmparsedomaininformation function when processing specially crafted domain names during the Secure Settings Exchange phase, allowing an attacker to overwrite the return address and execute arbitrary code.

Sens:ImmediateConf:highAnalyzed:2026-05-08Google

Authors: Denis Skvortsov

RCELinuxVulnerability DisclosureRDPBuffer OverflowCVE-2025-68670xrdp

Source:Kaspersky

Detection / HunterGoogle

What Happened

A critical security flaw was found in xrdp, a popular tool used to remotely access Linux computers. The vulnerability allows an attacker to take control of the system without needing a valid username or password. This matters because anyone with network access to the remote desktop server could potentially compromise the machine. Administrators should immediately update their xrdp installations to the latest patched versions to protect their systems.

Key Takeaways

  • CVE-2025-68670 is a pre-authentication Remote Code Execution (RCE) vulnerability in the xrdp remote desktop server for Linux.
  • The vulnerability is caused by a stack buffer overflow in the xrdp_wm_parse_domain_information function during UTF-16 to UTF-8 conversion.
  • Exploitation is achieved by sending a specially crafted domain name exceeding 256 bytes between an initial '_' and a subsequent '__' character.
  • The vulnerability can be exploited before client authentication, requiring no valid credentials.
  • Patches are available in xrdp versions 0.10.5, 0.9.27, and 0.10.4.1.

Affected Systems

  • xrdp server versions prior to 0.10.5
  • xrdp server versions prior to 0.9.27
  • xrdp server versions prior to 0.10.4.1
  • Linux operating systems running vulnerable xrdp instances

Vulnerabilities (CVEs)

  • CVE-2025-68670

Attack Chain

The attacker initiates an RDP connection to the vulnerable xrdp server. During the Secure Settings Exchange phase, before authentication, the attacker sends a Client Info PDU containing a specially crafted domain name starting with an underscore and containing a long sequence of characters before a double underscore. The server's xrdp_wm_parse_domain_information function attempts to extract this domain into a 256-byte stack buffer, resulting in a buffer overflow. The overflow overwrites the return address, allowing the attacker to execute arbitrary code in the context of the xrdp process.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but describes the mechanism of the buffer overflow which could be used to build network signatures looking for abnormally long domain fields in RDP Client Info PDUs.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs may catch the resulting memory corruption (e.g., stack smashing detected) or post-exploitation shell execution, but might not parse the specific RDP pre-auth PDU traffic natively. Network Visibility: High — Network IDS/IPS can inspect the RDP Client Info PDU for excessively long domain strings, specifically those starting with '_' and exceeding 256 bytes before '__'. Detection Difficulty: Moderate — Detecting the exploit requires deep packet inspection of the RDP protocol during the initial handshake, or relying on crash logs if the exploit fails.

Required Log Sources

  • Network packet captures (PCAP)
  • Linux syslog/auth.log (for xrdp crashes)
  • EDR memory alerts

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for xrdp processes crashing with 'stack smashing detected' or SIGABRT signals, which may indicate failed exploitation attempts of CVE-2025-68670.Linux system logs (syslog, journalctl) or EDR process crash events.ExecutionLow
Monitor network traffic for RDP connection attempts where the domain field in the Client Info PDU is unusually long and begins with an underscore.Network IDS/IPS or Zeek RDP analyzer logs.Initial AccessLow

Control Gaps

  • Lack of deep packet inspection for RDP pre-authentication phases
  • Absence of stack canaries in custom or older compiled versions of xrdp

Key Behavioral Indicators

  • xrdp process crashes with SIGABRT
  • RDP domain strings starting with '_' and containing '__' further than 256 bytes into the string

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Upgrade xrdp to version 0.10.5, 0.9.27, or 0.10.4.1 immediately.
  • Restrict access to the RDP port (typically 3389) using firewalls or VPNs to trusted IP addresses only.

Infrastructure Hardening

  • Ensure xrdp and other exposed services are compiled with modern exploit mitigations like stack canaries (SSP), ASLR, and DEP.

User Protection

  • N/A

Security Awareness

  • Educate administrators on the risks of exposing remote desktop services directly to the internet.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application

Additional IOCs

  • Ips:
    • 172[.]22[.]118[.]7 - PoC target IP
  • Other:
    • testuser - Username used in the PoC RDP file.

Related