Critical RCE Bug in xrdp Server Puts Remote Desktop Users at Risk

By

Breaking: Critical RCE Vulnerability Discovered in xrdp

A severe remote code execution (RCE) vulnerability, tracked as CVE-2025-68670, has been uncovered in the xrdp open-source remote desktop server. The flaw was identified during a security audit of Kaspersky's USB Redirector module, which integrates with xrdp to enable USB device sharing over RDP sessions. Attackers could exploit this bug to run arbitrary code on affected servers without authentication.

Critical RCE Bug in xrdp Server Puts Remote Desktop Users at Risk
Source: securelist.com

According to Kaspersky researchers, the vulnerability resides in the Secure Settings Exchange phase that occurs just before client authentication. An attacker can send a specially crafted Client Info PDU containing oversized Unicode data, triggering a buffer overflow when xrdp converts UTF-16 strings to UTF-8. This overflow allows overwriting adjacent memory, potentially leading to code execution with system privileges.

How the Attack Works

During RDP connection setup, the client transmits credentials and other parameters in a TS_INFO_PACKET structure. Each field (username, password, domain, etc.) can be up to 512 bytes as UTF-16. The server's ts_info_utf16_in function converts to UTF-8 and stores them in fixed-size buffers of 512 bytes.

Despite intended overflow protection, the conversion process introduces a vulnerability: a UTF-16 string of maximum size can expand beyond 512 bytes after conversion to UTF-8. The function does not adequately check the output length, allowing data to spill over into adjacent fields. "This creates a classic buffer overflow condition," explains a Kaspersky security engineer. "An attacker can control the overwritten data to hijack execution flow."

Background

xrdp is a popular open-source implementation of Microsoft's Remote Desktop Protocol, widely used on Linux systems. Many organizations deploy it for remote access in thin client environments. Kaspersky USB Redirector is an add-on that lets users redirect local USB devices (flash drives, smart cards) to remote sessions securely.

Kaspersky routinely audits its products for security flaws. During a targeted assessment of USB Redirector last year, researchers stumbled upon the deeper xrdp flaw. They promptly reported it to the xrdp maintainers, who released fixes in version 0.10.5 and backported patches to 0.9.27 and 0.10.4.1. A security bulletin was also issued.

Critical RCE Bug in xrdp Server Puts Remote Desktop Users at Risk
Source: securelist.com

What This Means

This vulnerability is critical because it requires no user interaction and can be exploited before authentication. Any xrdp server that accepts unauthenticated RDP connections is potentially at risk. An attacker could gain full control of the server, access sensitive data, or pivot to internal networks.

"All xrdp users should upgrade to the patched versions immediately," urges the xrdp project maintainer via a public notice. "Even if you don't use Kaspersky USB Redirector, this flaw is in core xrdp code and affects all installations." Organizations using thin client solutions are especially urged to prioritize patching.

Recommendations

For full technical details, refer to the [official CVE entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68670) and the xrdp security bulletin.

Tags:

Related Articles

Recommended

Discover More

10 Key Takeaways from xAI's Recent Moves: A High-Profile Departure and a $60 Billion DealSecuring Water Treatment ICS: A Guide Based on the Polish Security Agency ReportWeekend Gaming Plans: Balancing Renovations and RelaxationFrom Digital Chaos to Clarity: How Gemini Organizes Your Research FoldersHow Facebook Reimagined Groups Search: A Hybrid Approach to Unlock Community Wisdom