Critical Remote Code Execution Flaw in xrdp Threatens Remote Desktop Security

By

Kaspersky security researchers have uncovered a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-68670, in the xrdp remote desktop server for Linux. The flaw could allow an attacker to execute arbitrary code on vulnerable systems, compromising remote desktop sessions.

Background

xrdp is an open-source implementation of the Remote Desktop Protocol (RDP) commonly used in thin client environments. Kaspersky integrates xrdp into its Kaspersky Thin Client operating system and offers the Kaspersky USB Redirector module to extend USB device access over remote sessions.

Vulnerability Details

The vulnerability resides in the Secure Settings Exchange phase, which occurs before client authentication. During this phase, the client sends protected credentials—including usernames, passwords, and domain names—inside a Client Info PDU (protocol data unit) as TS_INFO_PACKET structures.

These fields are limited to 512 bytes each and use UTF-16 encoding. However, the xrdp server converts them to UTF-8 using the ts_info_utf16_in function. Researchers found that improper buffer size validation in this conversion process can lead to a stack-based buffer overflow, enabling remote code execution.

Disclosure and Fix

Kaspersky reported the issue to the xrdp project maintainers, who responded swiftly. The vulnerability is patched in xrdp version 0.10.5, with backports to versions 0.9.27 and 0.10.4.1. A security bulletin has been issued.

“We take security seriously and grateful to the xrdp team for their fast response,” said a Kaspersky security researcher. “Users should update immediately to block potential exploits.”

What This Means

This vulnerability poses a serious risk to organizations relying on thin clients and remote desktop infrastructure. An attacker with network access could exploit CVE-2025-68670 to take control of an xrdp server without authentication. The flaw has a high severity rating and is likely to attract exploit development.

Users of Kaspersky Thin Client and USB Redirector are urged to apply the latest xrdp patches. The xrdp community recommends upgrading to version 0.10.5 or later, or applying backported patches for older releases. Administrators should review their remote desktop configurations and ensure firewall rules restrict access to trusted networks.

Timeline

• Flaw discovered during Kaspersky’s security audit of USB Redirector
• Reported to xrdp maintainers in [Month Year]
• Fix released in xrdp 0.10.5, backported to 0.9.27 and 0.10.4.1
• CVE-2025-68670 assigned

Related Articles

• Inside the CPU-Z Watering Hole Attack: AI-Powered EDR Stops Supply Chain Compromise
• 10 Critical Insights Into Russia's OAuth Token Theft via Router Hacks
• Frontier AI Sparks Race in Cyber Defense: SentinelOne Reveals How Machine-Speed Autonomy Stops Zero-Day Threats
• How to Prioritize and Apply Microsoft’s March 2026 Patch Tuesday Updates
• New Python Security Updates: What You Need to Know About Versions 3.12.12, 3.11.14, 3.10.19, and 3.9.24
• Russian GRU Hackers Hijack 18,000 Routers to Steal Microsoft Office Logins – Lumen Report
• Lessons from the Snowden Leaks: A CISO's Guide to Insider Threat Detection and Organizational Culture
• PamDOORa: The New Linux Backdoor Hijacking SSH via PAM Modules