Critical RCE Vulnerability Found in xrdp Server Enables Remote Code Execution

By

Breaking: Remote Code Execution Flaw Discovered in xrdp Server

A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-68670, has been identified in the xrdp remote desktop server. The flaw allows an authenticated attacker to execute arbitrary code on the target system. Security researchers at Kaspersky discovered the bug during a routine audit of their USB Redirector module.

Critical RCE Vulnerability Found in xrdp Server Enables Remote Code Execution
Source: securelist.com

Kaspersky reported the vulnerability to xrdp maintainers, who swiftly addressed it. The fix was released in version 0.10.5, with backports to versions 0.9.27 and 0.10.4.1. A security bulletin has been issued to alert users.

Technical Details of CVE-2025-68670

The vulnerability resides in the Secure Settings Exchange phase of the RDP connection process, which occurs just before client authentication. At this stage, the client sends protected credentials—such as username, password, and auto-reconnect cookies—in a structure called TS_INFO_PACKET.

In xrdp, these fields are stored in the xrdp_client_info structure, with each field limited to 512 bytes (INFO_CLIENT_MAX_CB_LEN). However, the conversion from UTF-16 to UTF-8 can cause a buffer overflow if not handled correctly. The ts_info_utf16_in function was designed to check buffer boundaries but failed to adequately prevent overflow under certain conditions.

“The vulnerability allows an attacker to craft a malicious Client Info PDU that overflows the destination buffer, leading to arbitrary code execution,” explained a Kaspersky security researcher on condition of anonymity. “This could give an attacker full control over the server.”

Background: xrdp and Kaspersky USB Redirector

xrdp is an open-source implementation of the Remote Desktop Protocol (RDP) for Linux. It is widely used in thin client environments and virtual desktop infrastructure (VDI). Kaspersky Thin Client, an operating system for thin clients, integrates xrdp for remote connections.

Kaspersky USB Redirector is a commercial add-on that enables USB device redirection over xrdp sessions. It allows users to access flash drives, tokens, smart cards, and printers securely. The vulnerability was found during a security audit of this module, highlighting the interconnected risk in third-party components.

Critical RCE Vulnerability Found in xrdp Server Enables Remote Code Execution
Source: securelist.com

What This Means for Users

Organizations using xrdp versions prior to 0.10.5 (or unpatched older versions) should update immediately. The vulnerability can be exploited remotely by an authenticated user—one who already has access to the RDP session—making it particularly dangerous in shared or multi-tenant environments.

“This is a serious issue because it elevates a regular authenticated session to full system compromise,” said a Kaspersky spokesperson. “We recommend applying the patch as soon as possible and monitoring for any suspicious activity in RDP connections.”

Administrators should also review their USB redirection policies and consider limiting access to sensitive USB devices until the patch is applied. The xrdp project maintainers have published the fix in their official repository.

Recommendations

The Kaspersky research team continues to collaborate with open-source projects to improve security. This discovery underscores the importance of regular security audits, especially for components used in enterprise environments.

Tags:

Related Articles

Recommended

Discover More

How to Stay on Top of the Ubuntu 26.10 Stonking Stingray Release ScheduleHow Top 7 Best Wordpress Plugin Of All TimeMassive Data Breach at UK Biobank Exposes 500,000 Volunteer Records; Multiple Cyber Incidents Rock IndustryGet a Sneak Peek: Early Recreation of Google's New Workspace IconsAnn Leckie's Radiant Star: A New Gem in the Radch Universe