Critical RCE Vulnerability in xrdp: Analysis of CVE-2025-68670 and Mitigation Steps

Introduction

Remote desktop solutions are essential for modern businesses, but they also introduce security risks that must be carefully managed. Kaspersky, known for its cybersecurity expertise, recently uncovered a critical remote code execution (RCE) vulnerability in xrdp, the popular open-source Remote Desktop Protocol (RDP) server for Linux. This flaw, tracked as CVE-2025-68670, was discovered during a routine security audit of the Kaspersky USB Redirector module—a component that allows thin clients to access local USB devices (flash drives, tokens, smart cards, printers) within an RDP session while maintaining encryption.

Critical RCE Vulnerability in xrdp: Analysis of CVE-2025-68670 and Mitigation Steps — Source: securelist.com

In this article, we break down the technical details of the vulnerability, how it was responsibly disclosed and patched, and what steps administrators should take to protect their systems.

The Discovery and Response

Kaspersky’s internal security assessment identified the flaw in the xrdp server, which is used as the foundation for the company’s USB Redirector solution. As soon as the vulnerability was confirmed, Kaspersky followed responsible disclosure practices and reported it to the xrdp project maintainers. The response was swift: a fix was released in xrdp version 0.10.5, with backports to versions 0.9.27 and 0.10.4.1. A security bulletin was also published to inform the community. This coordinated effort minimized the window of exposure.

Technical Breakdown of CVE-2025-68670

RDP Secure Settings Exchange

To understand the vulnerability, we must first examine how an RDP connection is established. The handshake between client and server is a multi‑stage process, where various settings are negotiated. The critical stage for this CVE is the Secure Settings Exchange, which occurs just before client authentication. At this point, the client sends protected credentials encapsulated in a Client Info PDU. This Protocol Data Unit contains details such as username, password, auto‑reconnect cookies, and more. All of this data is packed into a TS_INFO_PACKET structure, where each field is a Unicode string with a maximum length of 512 bytes, and the last character must be a null terminator. In the xrdp codebase, this corresponds to the xrdp_client_info structure.

Unicode Conversion Flaw

The client transmits these strings using UTF‑16 encoding. However, the xrdp server converts them to UTF‑8 before storage. A helper function called ts_info_utf16_in was responsible for this conversion. The function receives the source buffer size (in bytes), the destination buffer, and its length. At first glance, it included a buffer overflow protection check:

if (!s_check_rem_and_log(s, src_bytes + 2, "ts_i

The code snippet above shows a size validation intended to prevent overwriting the destination. However, the vulnerability lay in an edge case where the conversion from UTF‑16 to UTF‑8 could produce more bytes than the provided buffer could hold—even when the source data appeared to fit the INFO_CLIENT_MAX_CB_LEN (512 bytes) limit. Specifically, because UTF‑8 encoding can expand some Unicode characters (e.g., characters outside the Basic Multilingual Plane require four bytes in UTF‑8 versus two in UTF‑16), a carefully crafted payload could exceed the destination buffer size, leading to a stack‑based buffer overflow. An attacker who successfully triggers this overflow could execute arbitrary code on the server with the privileges of the xrdp process.

Potential Impact

Successful exploitation of CVE-2025-68670 could allow an unauthenticated remote attacker to gain complete control over the target system. Given that xrdp is often deployed on enterprise thin‑client servers or as a remote access gateway, the consequences could include data theft, lateral movement within a network, or installation of backdoors. The vulnerability is particularly dangerous because it resides in a component that handles initial connection setup, before any authentication takes place.

Affected Versions and Fixes

The vulnerability affects all prior versions of xrdp up to and including:

xrdp 0.9.x series (before 0.9.27)
xrdp 0.10.x series (before 0.10.5 and before 0.10.4.1)

The maintainers have issued patches and recommend upgrading to the latest stable release. Specifically, administrators should upgrade to:

xrdp 0.10.5 (or later)
xrdp 0.9.27 (for those on the older branch)
xrdp 0.10.4.1 (as a backported fix)

Recommendations for Protection

Update xrdp immediately – Apply the latest patch versions listed above. This is the most effective countermeasure.
Restrict network access – Place xrdp servers behind a firewall and allow connections only from trusted IP ranges or via VPN.
Enable logging and monitoring – Review logs for any unusual RDP connection attempts or error messages related to the Secure Settings Exchange phase.
Use sandboxing or containerization – Run xrdp in a restricted environment (e.g., a Docker container) to limit the impact of a potential compromise.
Consider alternative authentication methods – Where possible, use certificate‑based authentication or multi‑factor authentication to reduce reliance on password‑based credentials.

Conclusion

Security researchers at Kaspersky have once again demonstrated the importance of proactive vulnerability discovery in critical infrastructure components. The responsible disclosure process for CVE-2025-68670 ensured that the xrdp community could patch the flaw before it could be widely exploited. Administrators running xrdp should treat this vulnerability with high priority and update their installations without delay. By understanding the technical mechanism—a subtle Unicode conversion issue—we can better appreciate both the challenges of secure coding and the value of thorough security audits.

For additional context, you may refer back to the introduction or jump to the recommendations section for immediate actions.

Darhost