7 Critical Facts About the xrdp RCE Vulnerability (CVE-2025-68670)

By

Introduction

In the world of remote desktop solutions, xrdp is a widely used open-source server for Linux that provides a graphical login to remote machines. However, a recent security audit by Kaspersky’s team on their USB Redirector module — an add-on for Kaspersky Thin Client — uncovered a critical remote code execution (RCE) vulnerability in the xrdp server itself. Tracked as CVE-2025-68670, this flaw could allow an attacker to execute arbitrary code on a vulnerable system before authentication. The xrdp maintainers acted swiftly, releasing patches in versions 0.10.5, 0.9.27, and 0.10.4.1. Here are seven things you need to know to understand and mitigate this threat.

7 Critical Facts About the xrdp RCE Vulnerability (CVE-2025-68670)
Source: securelist.com

1. The Vulnerability Originates from the Client-Server Settings Exchange

The RDP connection process involves multiple stages where the client and server negotiate capabilities. One critical phase is the Secure Settings Exchange, occurring just before user authentication. During this phase, the client sends a Client Info PDU containing sensitive data such as username, password, domain, and auto-reconnect cookies. These pieces are packaged into a TS_INFO_PACKET structure. The xrdp server stores this information in an internal xrdp_client_info structure, with fields like username, password, and domain each limited to 512 bytes (defined by INFO_CLIENT_MAX_CB_LEN). The vulnerability specifically lies in how the server handles incoming Unicode strings during this exchange.

2. The Buffer Size Seems Safe — But the Conversion Creates a Trap

Although the buffer limit (512 bytes) appears straightforward, the actual hazard emerges from the encoding conversion. The client transmits data using UTF-16 encoding (two bytes per code unit), while the server converts it to UTF-8 (one to four bytes per code point) before storing. The conversion function, ts_info_utf16_in, receives the source byte count and the destination buffer length. However, the implementation fails to account for the maximum expansion factor — UTF-8 can increase the size up to four times compared to the original UTF-16 string. As a result, a carefully crafted packet with a long Unicode string can overflow the fixed-size destination buffer, leading to memory corruption.

3. The Flaw Resides in the ts_info_utf16_in Function

This function is responsible for copying UTF-16 data from the incoming stream into a UTF-8 buffer. It checks that src_bytes + 2 bytes are available in the stream, but it does not verify that the resulting UTF-8 output will fit within dst_len. The code passes the buffer length (sizeof(xrdp_client_info.domain) = 512) as dst_len. During conversion, each UTF-16 character may become up to 3 UTF-8 bytes (for BMP characters) or 4 bytes (for supplementary characters). Without proper bounds checking, an attacker can send a payload that writes beyond the allocated array, potentially altering adjacent memory fields like program or directory, or even overwriting critical function pointers.

4. Exploitation Requires No Authentication

Because the vulnerable code path runs before the client is authenticated, an attacker does not need valid credentials to trigger the overflow. They simply need network access to a target xrdp server. By crafting a malicious Client Info PDU with an excessively large domain name (or other string fields) in UTF-16 format, they can cause a heap- or stack-based buffer overflow (depending on the platform and compiler). This pre-authentication access makes the vulnerability particularly dangerous, as it can be weaponized remotely to gain initial foothold in an environment.

7 Critical Facts About the xrdp RCE Vulnerability (CVE-2025-68670)
Source: securelist.com

5. The Patch Closes the Gap with Proper Size Checks

The xrdp development team responded quickly to Kaspersky’s disclosure. In version 0.10.5, they modified the ts_info_utf16_in function to calculate the maximum possible UTF-8 output size before conversion. The fix ensures that if the converted data would exceed the destination buffer, the operation is halted and an error is returned. Additionally, they backported the patch to older stable branches: 0.9.27 and 0.10.4.1. Administrators are strongly advised to upgrade to these patched versions immediately.

6. All xrdp Deployments Are Potentially at Risk

While the vulnerability was discovered through Kaspersky’s USB Redirector module, the flaw exists in the core xrdp code and affects all xrdp servers, regardless of whether the USB Redirector is installed. This includes standalone xrdp installations, Linux terminal servers, and thin client environments. The Kaspersky Thin Client OS is not inherently vulnerable, but any system running xrdp without the latest patches is at risk. Organizations using xrdp for remote access should prioritize updating their servers.

7. Immediate Steps to Protect Your Environment

To mitigate the threat from CVE-2025-68670, follow these recommendations:

If immediate patching is not possible, consider disabling the RDP service temporarily or placing it behind a secure gateway.

Conclusion

The discovery of CVE-2025-68670 underscores the importance of continuous security assessments in open-source software. A simple encoding conversion oversight led to a critical RCE vulnerability that could be exploited before authentication. Thanks to the coordinated disclosure between Kaspersky and the xrdp team, patches are now available. System administrators must act quickly to apply these updates and review their remote access security posture. Staying informed and proactive is the best defense against such threats.

Related Articles

Recommended

Discover More

How to Watch and Appreciate Copenhagen Cowboy: A Viewer's GuideCrafting Custom Letter Styles: How to Mimic ::nth-letter with CSS and JavaScriptHow Immigrant Caregivers Are Bridging America's Eldercare GapEverything You Need to Know About Fedora Asahi Remix 44Advancing Semantic Data: The Block Protocol and the Future of Structured Web Content