Breaking: Critical RCE Vulnerability in xrdp Server
Security researchers at Kaspersky have uncovered a critical remote code execution (RCE) vulnerability in the widely used xrdp remote desktop server. Tracked as CVE-2025-68670, the flaw could allow attackers to take full control of systems running vulnerable versions.
The vulnerability was discovered during a routine security audit of Kaspersky's USB Redirector module, which integrates with xrdp on Linux-based thin clients. Kaspersky immediately reported the flaw to the xrdp project maintainers.
"We take security seriously, and this finding highlights the importance of regular audits," said a Kaspersky security researcher. "The xrdp team responded swiftly, releasing patches within days."
Technical Details: How the Attack Works
The bug lies in the Secure Settings Exchange phase of the RDP connection process, just before client authentication. At this point, the client sends protected credentials encapsulated in a Client Info PDU as Unicode UTF-16 strings up to 512 bytes long.
When the xrdp server converts this incoming data from UTF-16 to UTF-8, a buffer overflow vulnerability occurs. The ts_info_utf16_in function fails to properly validate the size of the output buffer, allowing an attacker to overwrite adjacent memory.
This memory corruption can be weaponized to inject and execute arbitrary code on the server. The vulnerable fields include username, password, domain, program, and directory — each defined with a maximum length of 512 bytes (INFO_CLIENT_MAX_CB_LEN).
Kaspersky's analysis confirmed that the issue is exploitable before authentication, making it especially dangerous for exposed RDP endpoints.
Background
xrdp is an open-source implementation of the Remote Desktop Protocol for Linux, commonly used to provide remote access to thin clients. Kaspersky Thin Client, a specialized OS for enterprise environments, relies on xrdp for remote desktop sessions.
The Kaspersky USB Redirector extends xrdp to allow remote access to local USB devices such as flash drives, smart cards, and printers. This module was the subject of the security audit that uncovered CVE-2025-68670.
The xrdp project maintainers have released fixes in version 0.10.5, with backports to versions 0.9.27 and 0.10.4.1. A security bulletin has been published.
What This Means
Organizations using xrdp — especially those deploying Kaspersky Thin Client or third-party thin client solutions — should urgently update to the patched versions. The vulnerability could allow an unauthenticated remote attacker to execute arbitrary code with the privileges of the xrdp process, potentially leading to full system compromise.
Administrators are advised to restrict RDP access to trusted networks and apply the latest xrdp patches immediately. Kaspersky has also updated its USB Redirector module to address the flaw.
The discovery underscores the critical need for continuous security audits in open-source components that are integrated into commercial products.
This is a breaking story. More details will be added as they emerge.