Critical RCE Flaw Found in xrdp Remote Desktop Server – Update Now

Breaking: Kaspersky Discovers Remote Code Execution Vulnerability in xrdp (CVE-2025-68670)

A severe remote code execution (RCE) vulnerability has been uncovered in the xrdp remote desktop server, a widely used open‑source component in Linux environments. Tracked as CVE-2025-68670, the flaw allows an attacker to execute arbitrary code on a target system before authentication.

The discovery was made by security researchers at Kaspersky during a routine audit of their Kaspersky USB Redirector product, which integrates with xrdp to enable secure USB device redirection. The team promptly reported the issue to the xrdp maintainers, who released patches in versions 0.10.5, 0.9.27, and 0.10.4.1.

“We take the security of our products seriously and regularly conduct security assessments,” said a Kaspersky spokesperson. “This vulnerability, if left unpatched, could allow attackers to compromise thin client deployments and critical infrastructure relying on remote desktop services.”

Technical Details: Buffer Overflow in Client Info Handling

The vulnerability resides in the Secure Settings Exchange phase of the RDP connection process, which occurs immediately before client authentication. During this phase, the client sends a Client Info PDU containing credentials (username, password, domain, etc.) in Unicode (UTF‑16) format.

The xrdp server converts this data to UTF‑8 using the ts_info_utf16_in function. While the function includes buffer overflow protection by passing the size of the destination buffer, a flaw in the validation logic allows a malformed, oversized input to bypass the bounds check.

Below is a simplified representation of the vulnerable code flow:

char domain[INFO_CLIENT_MAX_CB_LEN]; // 512 bytes
if (ts_info_utf16_in(s, len_domain, self->rdp_layer->client_info.domain, sizeof(domain)) != 0)
{ ... }

If an attacker sends a specially crafted Unicode string that exceeds 512 bytes after conversion, the buffer can be overflowed, enabling remote code execution with the privileges of the xrdp process (typically root or a high‑integrity user).

Background: What Is xrdp and Why Does This Matter?

Xrdp is an open‑source implementation of the Microsoft Remote Desktop Protocol (RDP) for Linux. It enables users to connect from Windows, macOS, or Linux clients to a Linux desktop environment. It is often deployed in enterprise thin client solutions, virtual desktop infrastructures (VDI), and cloud environments where security is paramount.

Kaspersky’s USB Redirector extends xrdp’s capabilities by allowing remote access to local USB devices (flash drives, smart cards, printers) within a remote session. This integration means the vulnerability affects not only standalone xrdp servers but also systems using Kaspersky Thin Client software.

What This Means for Users and Organizations

Urgent action is required. Any organization running xrdp versions prior to 0.10.5 (or the backported patches in 0.9.27 and 0.10.4.1) should upgrade immediately. Exploitation can occur without authentication, making this a high‑severity threat (CVSS score pending but likely 9.8 critical).

• Risk: An unauthenticated attacker can gain full control of the remote desktop server.
• Attack vector: The vulnerability is triggered by a malicious RDP client during connection setup. No user interaction is required.
• Mitigation: Update to the patched xrdp version or apply vendor‑supplied hotfixes. Restrict network access to xrdp (port 3389) where possible.

“The xrdp maintainers acted swiftly, but the onus is on administrators to deploy the updates without delay,” cautioned Igor Kuzmenko, lead researcher at Kaspersky. “Given the widespread use of xrdp in enterprise thin clients, this vulnerability could be a prime target for ransomware operators or state‑sponsored actors.”

Recommendations

1. Immediate upgrade: Update xrdp to version 0.10.5 or later. For long‑term support branches, apply the backported fix to 0.9.27 or 0.10.4.1.
2. Network segmentation: If immediate patching is not feasible, place xrdp servers behind a VPN or firewall, and restrict incoming connections to trusted IPs.
3. Monitor for exploitation: Review logs for unusual RDP connection attempts or anomalous Unicode‑related errors.

For a complete description of the flaw and advisory, refer to the official xrdp security bulletin. Organizations using Kaspersky USB Redirector should contact their support channel for additional guidance.