CVE-2025-68670: Critical RCE Vulnerability Discovered in xrdp Remote Desktop Server
Kaspersky researchers have disclosed CVE-2025-68670, a critical remote code execution vulnerability in the xrdp remote desktop server for Linux that can be exploited without authentication.
Kaspersky researchers have discovered a critical remote code execution (RCE) vulnerability in the xrdp remote desktop server for Linux, tracked as CVE-2025-68670. The flaw resides in the Secure Settings Exchange phase of the RDP connection process, which occurs before client authentication, meaning exploitation does not require valid credentials. An attacker could send a specially crafted Client Info PDU to trigger a buffer overflow, potentially leading to arbitrary code execution on the server.
The vulnerability lies in the `xrdp_wm_parse_domain_information` function, which processes the domain name provided by the client. The domain name is stored in a buffer of 512 bytes after conversion from UTF-16 to UTF-8. However, the function passes this data to a destination buffer of only 256 bytes (`resultIP`) without proper bounds checking. This mismatch allows an attacker to overflow the smaller buffer by supplying a domain name longer than 256 bytes after conversion, overwriting adjacent memory and potentially hijacking execution flow.
Kaspersky discovered the vulnerability during a security audit of their Kaspersky USB Redirector module, which extends xrdp's capabilities to allow USB device redirection in remote desktop sessions. The xrdp project maintainers responded promptly, releasing a fix in version 0.10.5. Patches have also been backported to versions 0.9.27 and 0.10.4.1. A security bulletin has been issued, and users are strongly advised to update to the latest patched versions to mitigate the risk of exploitation.
The impact of CVE-2025-68670 is significant given xrdp's widespread use in Linux environments for remote desktop access. The vulnerability is pre-authentication, making it particularly dangerous as it does not require any user interaction or valid credentials. While there is no evidence of active exploitation in the wild at the time of disclosure, the technical details provided by Kaspersky could enable threat actors to develop exploits. Organizations using xrdp should prioritize patching, especially if the service is exposed to untrusted networks.
This discovery highlights the importance of rigorous security audits in open-source software components that are widely integrated into commercial and enterprise products. The coordinated disclosure process between Kaspersky and the xrdp maintainers serves as a model for responsible vulnerability handling. Users are encouraged to monitor the xrdp project's security advisories and apply updates promptly to protect against potential attacks.