Critical RCE Vulnerability Discovered in xrdp Remote Desktop Server – CVE-2025-68670

A critical remote code execution (RCE) vulnerability has been uncovered in the widely used xrdp remote desktop server, tracked as CVE-2025-68670. Discovered during a security audit of Kaspersky’s USB Redirector tool, the flaw affects versions prior to 0.10.5, 0.9.27, and 0.10.4.1. Exploitation could allow an attacker to execute arbitrary code on a target system before authentication.

“The vulnerability resides in the handling of client credentials during the Secure Settings Exchange phase, where a buffer overflow can be triggered by sending a specially crafted Client Info PDU,” said a Kaspersky security researcher. “We reported it to the xrdp maintainers, who acted swiftly to patch the issue.”

The vulnerability stems from the way xrdp processes Unicode strings transmitted from clients. During the RDP connection setup, the client sends a TS_INFO_PACKET containing fields like username, password, domain, and program path, each defined as char[INFO_CLIENT_MAX_CB_LEN] with a maximum of 512 bytes. However, the conversion from UTF-16 (used by the client) to UTF-8 (stored by the server) can produce output exceeding the allocated buffer, leading to a potential heap-based buffer overflow.

Specifically, the function ts_info_utf16_in receives the UTF-16 byte count (src_bytes) and copies the converted UTF-8 data into a destination buffer of size dst_len (512 bytes). If the UTF-16 input contains characters that expand to more than two bytes in UTF-8—such as many non-Latin scripts—the resulting string can overflow the fixed 512-byte buffer. The original code did not properly validate the output length against the destination buffer size before writing.

In a successful exploit, an unauthenticated attacker could send a malicious Client Info PDU during the Secure Settings Exchange, causing memory corruption that may allow arbitrary code execution. This happens before client authentication, bypassing access controls. The xrdp maintainers have released patches in versions 0.10.5, 0.9.27, and 0.10.4.1, along with a security bulletin.

Background

xrdp is an open-source implementation of the Remote Desktop Protocol (RDP) for Linux and Unix-like systems. It is widely deployed in enterprise thin client environments and is often paired with tools like Kaspersky USB Redirector to enable secure USB device redirection over RDP sessions. The USB Redirector module, which is part of Kaspersky’s Thin Client solution, relies on xrdp to forward USB devices such as flash drives, smart cards, and printers.

Kaspersky’s security team discovered the vulnerability during a routine internal audit of the USB Redirector component. They responsibly disclosed the details to the xrdp project, which quickly produced fixes and backported them to stable branches. The vulnerability affects all xrdp installations using versions before the patched builds.

What This Means

This RCE vulnerability poses a serious threat to organizations using xrdp, especially those with internet-facing RDP servers or those in multi-tenant environments. Because the flaw is exploitable pre-authentication, it could allow an attacker to gain initial foothold without valid credentials.

Immediate action is recommended: upgrade xrdp to version 0.10.5, 0.9.27, or 0.10.4.1 (or later). If immediate patching is not possible, limit network exposure by restricting RDP access to trusted IPs using firewalls or VPNs. Additionally, enable logging and monitor for unusual Client Info PDUs. The xrdp project has also published a security advisory with further mitigation steps.

“This is a reminder that even well-established open-source projects can harbor subtle memory safety issues,” the Kaspersky researcher added. “Regular security audits and prompt patching are critical for maintaining a secure remote access infrastructure.”

Organizations using Kaspersky USB Redirector or Kaspersky Thin Client should also ensure their xrdp installations are updated, as the vulnerability directly impacts the server component used by these tools.

For more details, refer to the official xrdp security bulletin and CVE-2025-68670 entry.