Critical Remote Code Execution Flaw in xrdp: CVE-2025-68670 Exposed

Introduction

Kaspersky, known for its security solutions, also provides utility software to streamline business operations. Among these is Kaspersky Thin Client, an operating system designed for thin clients, and a complementary module called Kaspersky USB Redirector. This module extends the capabilities of the xrdp remote desktop server for Linux, allowing users to access local USB devices—such as flash drives, tokens, smart cards, and printers—within a remote desktop session while maintaining connection security.

Critical Remote Code Execution Flaw in xrdp: CVE-2025-68670 Exposed — Source: securelist.com

Security is a top priority at Kaspersky, and regular security assessments are conducted on all products, including Kaspersky USB Redirector. During a security audit last year, researchers uncovered a remote code execution (RCE) vulnerability in the underlying xrdp server. Assigned the identifier CVE-2025-68670, this flaw could allow an attacker to execute arbitrary code on the server. The vulnerability was responsibly disclosed to the xrdp project maintainers, who acted swiftly: they released a fix in version 0.10.5, backported the patch to versions 0.9.27 and 0.10.4.1, and published a security bulletin. This article provides a detailed breakdown of CVE-2025-68670 and offers guidance on staying protected.

The Mechanism Behind RDP Client Data Exchange

Establishing an RDP (Remote Desktop Protocol) connection involves a complex, multi-stage process where the client and server exchange various settings. Of particular relevance to this vulnerability is the Secure Settings Exchange phase, which occurs immediately before client authentication. During this phase, the client sends protected credentials to the server inside a Client Info PDU (Protocol Data Unit containing client information). This packet bundles together the username, password, auto-reconnect cookies, and other data points into a TS_INFO_PACKET structure.

Each field in the TS_INFO_PACKET can be represented as a Unicode string with a maximum length of 512 bytes, and each string must end with a null terminator. In the xrdp source code, this corresponds to the xrdp_client_info structure, which is defined as follows:

struct xrdp_client_info {
    char username[INFO_CLIENT_MAX_CB_LEN];
    char password[INFO_CLIENT_MAX_CB_LEN];
    char domain[INFO_CLIENT_MAX_CB_LEN];
    char program[INFO_CLIENT_MAX_CB_LEN];
    char directory[INFO_CLIENT_MAX_CB_LEN];
};

The constant INFO_CLIENT_MAX_CB_LEN is set to 512, meaning each field can hold at most 511 characters plus a null terminator.

The Vulnerability: Buffer Overflow in UTF-16 to UTF-8 Conversion

When the client transmits data, it uses UTF-16 encoding. The server, however, converts it to UTF-8 before storing the values. This conversion is handled by the function ts_info_utf16_in, which is called for each field (e.g., domain, username). The function signature looks like this:

if (ts_info_utf16_in(s, len_domain, self->rdp_layer->client_info.domain,
                    sizeof(self->rdp_layer->client_info.domain)) != 0)
{
    // error handling
}

The fourth parameter provides the destination buffer size (in this case, sizeof(self->rdp_layer->client_info.domain) which is 512 bytes). The ts_info_utf16_in function is supposed to implement buffer overflow protection, as shown in its implementation:

static int ts_info_utf16_in(struct stream *s, int src_bytes, char *dst, int dst_len)
{
    int rv = 0;
    LOG_DEVEL(LOG_LEVEL_TRACE, "ts_info_utf16_in: uni_len %d, dst_len %d", src_bytes, dst_len);
    if (!s_check_rem_and_log(s, src_bytes + 2, "ts_i

The vulnerability lies in a subtle flaw: the function does not properly validate that the number of bytes to read (src_bytes) is within the boundaries of the destination buffer after UTF-16 to UTF-8 conversion. A UTF-8 string can be up to twice the size of the original UTF-16 input (since characters above U+0800 expand from 2 to 3 bytes in UTF-8). If an attacker sends a crafted UTF-16 string that, when converted, exceeds the 512‑byte limit, a buffer overflow occurs. This overflow can overwrite adjacent memory regions, potentially allowing an attacker to execute arbitrary code on the server.

Impact and Affected Versions

An attacker who successfully exploits CVE-2025-68670 can achieve remote code execution on the xrdp server. This could lead to full compromise of the server, including unauthorized access to sensitive data, installation of malware, or pivoting to other systems on the network. The vulnerability affects all xrdp installations that process client info PDUs during RDP session establishment, which includes default configurations.

The following versions are affected:

xrdp versions before 0.9.27
xrdp versions before 0.10.4.1
xrdp versions before 0.10.5

Patches were deployed in versions 0.9.27, 0.10.4.1, and 0.10.5. Users running earlier versions should update immediately.

Mitigation and Recommendations

To protect against CVE-2025-68670, follow these steps:

Update xrdp to the latest version. If you are using xrdp 0.9.x, upgrade to 0.9.27 or later. For the 0.10.x line, upgrade to 0.10.5 (or at least 0.10.4.1). These releases include the fix.
Apply the security patch if you cannot upgrade immediately. The xrdp maintainers have provided backported patches for older versions. Refer to the xrdp security advisories for details.
Restrict network exposure. Limit access to the RDP port (default 3389) to trusted networks only. Use firewalls or VPNs to reduce the attack surface.
Monitor for suspicious activity. Check server logs for unusual RDP connection attempts or failures that might indicate exploitation attempts.
Use additional security layers. Consider deploying an intrusion detection system (IDS) or endpoint protection that can detect exploit patterns.

Conclusion

The discovery of CVE-2025-68670 underscores the importance of regular security audits, even for open-source components. Kaspersky’s responsible disclosure helped the xrdp project fix a critical RCE vulnerability before it could be widely exploited. By keeping software up to date and following best practices like network segmentation and access control, organizations can significantly reduce their risk. Stay vigilant and ensure your xrdp deployments are patched against this flaw.

Tags: