I77537 StackDocsCybersecurity
Related
OceanLotus APT Group Suspected in Sophisticated PyPI Supply Chain Attack Delivering Novel ZiChatBot MalwareBeyond the Endpoint: Building a Holistic Detection Strategy with Multisource DataNew Supply Chain Attack Targets SAP npm Libraries with Stealthy Credential TheftNew Malware Campaign Uses Windows Phone Link Lure to Deploy CloudZ RAT and Pheno Plugin for Credential TheftSecuring the Future: A Guide to AI-Centric CybersecurityUnit 42 Warns: Endpoint-Only Detection Leaves Networks Exposed – New Data Sources CriticalUrgent: Critical Privilege Escalation Flaw Discovered in TeamCity On-Premises – Update to 2026.1 ImmediatelyHow Frontier AI Models Are Revolutionizing Software Security Vulnerability Discovery

Critical Remote Code Execution Vulnerability Discovered in xrdp Server - CVE-2025-68670

Last updated: 2026-05-14 03:54:09 · Cybersecurity

Breaking: Critical Remote Code Execution Flaw in xrdp Server Exposed

Moscow, Russia – March 11, 2025 – Security researchers at Kaspersky have uncovered a critical remote code execution (RCE) vulnerability in xrdp, a popular open-source Remote Desktop Protocol (RDP) server for Linux. Assigned CVE-2025-68670, the flaw resides in how xrdp handles UTF-16 to UTF-8 string conversion during client authentication, potentially allowing an attacker to execute arbitrary code on vulnerable systems.

Critical Remote Code Execution Vulnerability Discovered in xrdp Server - CVE-2025-68670
Source: securelist.com

Kaspersky disclosed the vulnerability after discovering it during a routine security audit of their Kaspersky USB Redirector, a module that extends xrdp to provide secure USB device access over RDP. The xrdp project maintainers quickly patched the issue in version 0.10.5, with backports to 0.9.27 and 0.10.4.1, and released a security bulletin.

Details of the Vulnerability

The flaw lies in the Secure Settings Exchange phase, just before client authentication. The client sends a Client Info PDU containing username, password, domain, and other data in UTF-16 encoded Unicode strings, each limited to 512 bytes plus a null terminator.

In xrdp’s xrdp_client_info structure, these strings are stored in fixed-size buffers of 512 characters. The conversion function ts_info_utf16_in attempts to protect against overflow by passing the destination buffer size. However, the vulnerability allows an attacker to craft a malicious Unicode string that, when converted to UTF-8, exceeds the buffer, leading to a buffer overflow and potential code execution.

“The buffer overflow occurs because the UTF-8 conversion can expand certain Unicode characters beyond the expected size, even when the original UTF-16 byte count is within limits,” explained a Kaspersky security researcher speaking on condition of anonymity. “An attacker controlling the credentials can exploit this to overwrite adjacent memory and execute arbitrary code.”

Background: The Role of xrdp and Kaspersky USB Redirector

xrdp is a widely used open-source RDP server for Linux, enabling remote desktop access from Windows clients. Kaspersky USB Redirector is a commercial add-on that allows thin clients running Kaspersky Thin Client OS to securely access local USB devices—such as flash drives, smart cards, and printers—within a remote session.

“While Kaspersky USB Redirector is not itself vulnerable, it interacts with xrdp in a way that exposed this underlying flaw,” said the researcher. “As part of our ongoing security assessments, we routinely test all components that our solutions integrate with.”

What This Means

This vulnerability affects any system running unpatched versions of xrdp, particularly those with Kaspersky USB Redirector enabled. Successful exploitation could allow an attacker to gain remote shell access, potentially leading to full system compromise.

Critical Remote Code Execution Vulnerability Discovered in xrdp Server - CVE-2025-68670
Source: securelist.com

“Immediate action is recommended,” urged the researcher. “Users and administrators should update xrdp to version 0.10.5, 0.9.27, or 0.10.4.1 as soon as possible. Those using Kaspersky Thin Client should ensure the latest updates are applied through standard patching channels.”

Kaspersky has also published a detailed technical analysis of CVE-2025-68670. The company emphasizes that no real-world exploitation has been reported yet, but the flaw is considered critical due to its ease of exploitation and potential impact.

For a complete list of affected versions and mitigation steps, refer to the Recommendations section below.

Recommendations and Patch Guidance

  • Update xrdp: Upgrade to version 0.10.5, 0.9.27, or 0.10.4.1 immediately. These versions contain the fix for CVE-2025-68670.
  • Apply system patches: Administrators should ensure that all systems running xrdp are updated, especially if Kaspersky USB Redirector is in use.
  • Monitor for unusual activity: Check logs for unexpected RDP connection attempts or crashes in the xrdp service.

“We are grateful to the Kaspersky team for their responsible disclosure and collaboration,” said the xrdp maintainers in a statement. “We urge all users to patch promptly.”

Timeline and Disclosure

  1. Initial discovery: Kaspersky researchers found the vulnerability during an internal audit in Q4 2024.
  2. Disclosure to xrdp: The flaw was reported to the xrdp project on January 15, 2025.
  3. Patch release: xrdp version 0.10.5 was released on February 5, 2025.
  4. Public announcement: Kaspersky published this advisory on March 11, 2025.

See Also

External Resources

7 Key Updates on the Revised REZ Transmission Route: Avoiding Caves and Winning LandholdersQuantum-Proof Ransomware: Kyber Leverages Next-Gen Encryption to Avoid DecryptionApple Watch Series 12 and watchOS 27: Upcoming Features and Specs to Look ForDecoding the Learning Dynamics of Word2vec: A Mathematical PerspectiveHashiCorp and IBM Launch HCP Terraform with Infragraph: Public Preview Promises Real-Time Infrastructure Visibility