Critical RCE Vulnerability Discovered in xrdp Remote Desktop Server – Immediate Update Required

A remote code execution (RCE) vulnerability, tracked as CVE-2025-68670, has been discovered in the xrdp remote desktop server for Linux. The flaw allows an attacker to execute arbitrary code on an affected server, potentially compromising entire remote sessions.

Kaspersky researchers uncovered the vulnerability during a security audit of their USB Redirector module, which extends xrdp functionality. The finding was responsibly disclosed to the xrdp maintainers, who have released patches in versions 0.10.5, 0.9.27, and 0.10.4.1.

Urgent Call to Action

“This vulnerability could allow an attacker to gain full control of the xrdp server, leading to data theft or further network compromise,” said a Kaspersky security researcher. “All users should update immediately.”

The xrdp project maintainers thanked Kaspersky for the disclosure and urged administrators to apply the patches without delay. “We have backported the fix to ensure broad protection,” a maintainer stated.

Background: The Vulnerability in Detail

xrdp is an open-source remote desktop server for Linux, widely used in thin client environments. Kaspersky Thin Client integrates xrdp with the Kaspersky USB Redirector module, enabling secure access to local USB devices within remote sessions.

The vulnerability lies in the Secure Settings Exchange phase, which occurs just before client authentication. During this exchange, the client sends a Client Info PDU containing credentials such as username, password, and domain in a TS_INFO_PACKET structure. Each field is transmitted as a UTF-16 Unicode string of up to 512 bytes, with a required null terminator.

In the xrdp code, these fields are stored in a xrdp_client_info structure with a fixed buffer size defined by INFO_CLIENT_MAX_CB_LEN (512 bytes). The server converts the UTF-16 data to UTF-8 using the function ts_info_utf16_in. This function receives the source byte count and destination buffer size, but a miscalculation can lead to a buffer overflow.

Specifically, the conversion does not properly account for the expansion factor when converting from UTF-16 to UTF-8, potentially allowing an attacker to write beyond the allocated buffer. This overflow can be exploited to inject malicious code.

What This Means for Users

This vulnerability affects all xrdp deployments using versions prior to the patched releases. Any administrator running xrdp on Linux servers—especially those using Kaspersky Thin Client or similar USB Redirector setups—is at risk.

An attacker who can initiate an RDP connection to a vulnerable server could send a specially crafted Client Info PDU to trigger the overflow and execute remote code. Successful exploitation could lead to complete server compromise, including data exfiltration, installation of malware, or lateral movement within the network.

Affected Versions

xrdp versions before 0.9.27 (0.9.x branch)
xrdp versions before 0.10.4.1 (0.10.x branch)
xrdp version 0.10.5 and later are patched

Recommendations for Mitigation

Organizations using xrdp should upgrade to the latest patched version immediately. For the 0.9.x branch, update to 0.9.27 or later. For the 0.10.x branch, update to 0.10.4.1 or 0.10.5.

If immediate patching is not possible, consider restricting RDP access to trusted networks or using a VPN. Monitor logs for suspicious Client Info PDU payloads.

Additional Resources

Kaspersky recommends reviewing the technical details above and consulting the xrdp security bulletin for full mitigation steps. Kaspersky USB Redirector users are also encouraged to update their thin client operating system.

“We continue to invest in security assessments to protect our users,” the Kaspersky researcher concluded. “This discovery reinforces the importance of responsible disclosure and prompt patching.”

Tags:

Critical RCE Vulnerability Discovered in xrdp Remote Desktop Server – Immediate Update Required