Critical Remote Code Execution Flaw Discovered in xrdp – CVE-2025-68670
Breaking: Critical RCE Vulnerability in xrdp Server
Security researchers at Kaspersky have uncovered a critical remote code execution (RCE) vulnerability in the widely used xrdp remote desktop server. Tracked as CVE-2025-68670, the flaw could allow attackers to take full control of systems running vulnerable versions.
The vulnerability was discovered during a routine security audit of Kaspersky's USB Redirector module, which integrates with xrdp on Linux-based thin clients. Kaspersky immediately reported the flaw to the xrdp project maintainers.
"We take security seriously, and this finding highlights the importance of regular audits," said a Kaspersky security researcher. "The xrdp team responded swiftly, releasing patches within days."
Technical Details: How the Attack Works
The bug lies in the Secure Settings Exchange phase of the RDP connection process, just before client authentication. At this point, the client sends protected credentials encapsulated in a Client Info PDU as Unicode UTF-16 strings up to 512 bytes long.
When the xrdp server converts this incoming data from UTF-16 to UTF-8, a buffer overflow vulnerability occurs. The ts_info_utf16_in function fails to properly validate the size of the output buffer, allowing an attacker to overwrite adjacent memory.
This memory corruption can be weaponized to inject and execute arbitrary code on the server. The vulnerable fields include username, password, domain, program, and directory — each defined with a maximum length of 512 bytes (INFO_CLIENT_MAX_CB_LEN).
Kaspersky's analysis confirmed that the issue is exploitable before authentication, making it especially dangerous for exposed RDP endpoints.
Background
xrdp is an open-source implementation of the Remote Desktop Protocol for Linux, commonly used to provide remote access to thin clients. Kaspersky Thin Client, a specialized OS for enterprise environments, relies on xrdp for remote desktop sessions.
The Kaspersky USB Redirector extends xrdp to allow remote access to local USB devices such as flash drives, smart cards, and printers. This module was the subject of the security audit that uncovered CVE-2025-68670.
The xrdp project maintainers have released fixes in version 0.10.5, with backports to versions 0.9.27 and 0.10.4.1. A security bulletin has been published.
What This Means
Organizations using xrdp — especially those deploying Kaspersky Thin Client or third-party thin client solutions — should urgently update to the patched versions. The vulnerability could allow an unauthenticated remote attacker to execute arbitrary code with the privileges of the xrdp process, potentially leading to full system compromise.
Administrators are advised to restrict RDP access to trusted networks and apply the latest xrdp patches immediately. Kaspersky has also updated its USB Redirector module to address the flaw.
The discovery underscores the critical need for continuous security audits in open-source components that are integrated into commercial products.
This is a breaking story. More details will be added as they emerge.
Related Articles
- The Hacker News Introduces Cybersecurity Stars Awards 2026: Honoring Unsung Heroes in Cyber Defense
- 10 Critical Steps to Prevent Agentic Identity Theft in the Age of AI Agents
- Ubuntu 16.04 LTS: End of Security Support – What You Need to Know
- April 2026 Patch Tuesday: Record-Breaking Vulnerabilities and Active Exploits
- 5 Critical Facts About the Linux Kernel AEAD Socket Security Flaw
- Securing Your Software Supply Chain: Lessons from the Checkmarx and Bitwarden Attacks
- Cyber Threat Digest: Key Incidents and Vulnerabilities from Early May
- npm Supply Chain Under Siege: Unit 42 Reveals Wormable Malware and CI/CD Persistence Tactics