CVE-2025-68670: Remote Code Execution Threat in xrdp Server Uncovered by Kaspersky
Overview
Kaspersky's commitment to product security recently led to the discovery of a critical remote code execution (RCE) vulnerability in the xrdp remote desktop server. This flaw, tracked as CVE-2025-68670, was identified during a routine security audit of Kaspersky USB Redirector—a module that securely extends thin client capabilities by enabling access to local USB devices (flash drives, smart cards, printers) over RDP sessions. The vulnerability resides in how xrdp handles client credential data before authentication, potentially allowing an attacker to execute arbitrary code on the server.
Technical Details of the Vulnerability
Client Data Transmission via RDP
Establishing an RDP connection involves a multi-stage handshake between client and server. One critical phase is the Secure Settings Exchange, which occurs just before client authentication. During this step, the client sends protected credentials—username, password, domain, auto-reconnect cookies, and other settings—packaged into a Client Info PDU (Protocol Data Unit). This data is formatted as a TS_INFO_PACKET structure, where each field is a Unicode string with a maximum length of 512 bytes, including a null terminator.
The xrdp Client Info Structure
In xrdp's source code, these fields are stored in the xrdp_client_info structure, with fixed-size character arrays of INFO_CLIENT_MAX_CB_LEN (512 bytes) for values like username, password, domain, program, and directory. When a client transmits these values in UTF-16 encoding, the server must convert them to UTF-8 before storing. This conversion is performed by the function ts_info_utf16_in(), which takes the source bytes, destination buffer, and its length as parameters.
Unicode Conversion and Buffer Overflow
The vulnerability arises from an oversight in the conversion logic. While ts_info_utf16_in() does include buffer overflow protection by checking the destination buffer size, the calculation of the required UTF-8 output size can be flawed under specific conditions. If the client sends a specially crafted Unicode string—for example, one containing multi-byte UTF-16 characters that expand significantly when converted to UTF-8—the resulting data can exceed the 512-byte buffer limit. An attacker could leverage this to overwrite adjacent memory regions, potentially gaining control of execution flow and achieving remote code execution on the xrdp server.
Responsible Disclosure and Fix
After discovering the flaw, Kaspersky immediately reported it to the xrdp project maintainers. The team responded swiftly, releasing a fix in version 0.10.5 and backporting patches to versions 0.9.27 and 0.10.4.1. A security bulletin accompanied the release, advising all users to update their installations. This coordinated disclosure ensured that the vulnerability was addressed before malicious actors could exploit it in the wild.
Recommendations for Protection
To mitigate the risk posed by CVE-2025-68670, users and administrators should take the following actions:
- Update xrdp immediately to version 0.10.5, 0.9.27, or 0.10.4.1 (or later) from the official repository or distribution package manager.
- Verify installation by checking the version number:
xrdp --version - Restrict network access to the xrdp port (default 3389) using firewalls, allowing only trusted clients.
- Monitor logs for suspicious connection attempts or unusual authentication requests.
- Apply defense-in-depth by using additional security measures such as VPNs, TLS encryption, and intrusion detection systems.
Organizations using Kaspersky Thin Client with USB Redirector should also ensure that the latest version of Kaspersky USB Redirector is deployed, as it integrates the patched xrdp components.
Conclusion
The discovery of CVE-2025-68670 highlights the importance of continuous security auditing even in widely-used open-source software. Kaspersky's proactive approach helped identify and remediate a dangerous RCE vulnerability in xrdp before it could be weaponized. By promptly updating their systems, users can maintain secure remote desktop operations. For further details, refer to the xrdp security advisory and the overview section above.