Critical Remote Code Execution Vulnerability Discovered in xrdp Server - CVE-2025-68670

By

Breaking: Critical Remote Code Execution Flaw in xrdp Server Exposed

Moscow, Russia – March 11, 2025 – Security researchers at Kaspersky have uncovered a critical remote code execution (RCE) vulnerability in xrdp, a popular open-source Remote Desktop Protocol (RDP) server for Linux. Assigned CVE-2025-68670, the flaw resides in how xrdp handles UTF-16 to UTF-8 string conversion during client authentication, potentially allowing an attacker to execute arbitrary code on vulnerable systems.

Kaspersky disclosed the vulnerability after discovering it during a routine security audit of their Kaspersky USB Redirector, a module that extends xrdp to provide secure USB device access over RDP. The xrdp project maintainers quickly patched the issue in version 0.10.5, with backports to 0.9.27 and 0.10.4.1, and released a security bulletin.

Details of the Vulnerability

The flaw lies in the Secure Settings Exchange phase, just before client authentication. The client sends a Client Info PDU containing username, password, domain, and other data in UTF-16 encoded Unicode strings, each limited to 512 bytes plus a null terminator.

In xrdp’s xrdp_client_info structure, these strings are stored in fixed-size buffers of 512 characters. The conversion function ts_info_utf16_in attempts to protect against overflow by passing the destination buffer size. However, the vulnerability allows an attacker to craft a malicious Unicode string that, when converted to UTF-8, exceeds the buffer, leading to a buffer overflow and potential code execution.

“The buffer overflow occurs because the UTF-8 conversion can expand certain Unicode characters beyond the expected size, even when the original UTF-16 byte count is within limits,” explained a Kaspersky security researcher speaking on condition of anonymity. “An attacker controlling the credentials can exploit this to overwrite adjacent memory and execute arbitrary code.”

Background: The Role of xrdp and Kaspersky USB Redirector

xrdp is a widely used open-source RDP server for Linux, enabling remote desktop access from Windows clients. Kaspersky USB Redirector is a commercial add-on that allows thin clients running Kaspersky Thin Client OS to securely access local USB devices—such as flash drives, smart cards, and printers—within a remote session.

“While Kaspersky USB Redirector is not itself vulnerable, it interacts with xrdp in a way that exposed this underlying flaw,” said the researcher. “As part of our ongoing security assessments, we routinely test all components that our solutions integrate with.”

What This Means

This vulnerability affects any system running unpatched versions of xrdp, particularly those with Kaspersky USB Redirector enabled. Successful exploitation could allow an attacker to gain remote shell access, potentially leading to full system compromise.

“Immediate action is recommended,” urged the researcher. “Users and administrators should update xrdp to version 0.10.5, 0.9.27, or 0.10.4.1 as soon as possible. Those using Kaspersky Thin Client should ensure the latest updates are applied through standard patching channels.”

Kaspersky has also published a detailed technical analysis of CVE-2025-68670. The company emphasizes that no real-world exploitation has been reported yet, but the flaw is considered critical due to its ease of exploitation and potential impact.

For a complete list of affected versions and mitigation steps, refer to the Recommendations section below.

Recommendations and Patch Guidance

• Update xrdp: Upgrade to version 0.10.5, 0.9.27, or 0.10.4.1 immediately. These versions contain the fix for CVE-2025-68670.
• Apply system patches: Administrators should ensure that all systems running xrdp are updated, especially if Kaspersky USB Redirector is in use.
• Monitor for unusual activity: Check logs for unexpected RDP connection attempts or crashes in the xrdp service.

“We are grateful to the Kaspersky team for their responsible disclosure and collaboration,” said the xrdp maintainers in a statement. “We urge all users to patch promptly.”

Timeline and Disclosure

1. Initial discovery: Kaspersky researchers found the vulnerability during an internal audit in Q4 2024.
2. Disclosure to xrdp: The flaw was reported to the xrdp project on January 15, 2025.
3. Patch release: xrdp version 0.10.5 was released on February 5, 2025.
4. Public announcement: Kaspersky published this advisory on March 11, 2025.

Related Articles

• Securing Your Systems: A Step-by-Step Guide to Applying April 2026 Patch Tuesday Updates
• How Meta Fortifies Its End-to-End Encrypted Backup System: A Technical Walkthrough
• Triple Zero-Day Supply Chain Attacks Target AI, JavaScript, and System Tools – SentinelOne Stops All Without Signatures
• DigiCert Emergency Revocation: Support Portal Breach Via Chat Malware Leads to Certificate Reissuance
• Apple Bolsters macOS Defenses Against Social Engineering: Terminal Paste Warnings
• 10 Critical Facts About the Iran-Linked Wiper Attack on Medical Giant Stryker
• Critical Remote Code Execution Flaw in xrdp Threatens Remote Desktop Security
• Microsoft’s Agent 365 Reaches GA: The Battle Against Shadow AI Intensifies