Critical RCE Bug in xrdp Server Puts Remote Desktop Users at Risk

Breaking: Critical RCE Vulnerability Discovered in xrdp

A severe remote code execution (RCE) vulnerability, tracked as CVE-2025-68670, has been uncovered in the xrdp open-source remote desktop server. The flaw was identified during a security audit of Kaspersky's USB Redirector module, which integrates with xrdp to enable USB device sharing over RDP sessions. Attackers could exploit this bug to run arbitrary code on affected servers without authentication.

According to Kaspersky researchers, the vulnerability resides in the Secure Settings Exchange phase that occurs just before client authentication. An attacker can send a specially crafted Client Info PDU containing oversized Unicode data, triggering a buffer overflow when xrdp converts UTF-16 strings to UTF-8. This overflow allows overwriting adjacent memory, potentially leading to code execution with system privileges.

How the Attack Works

During RDP connection setup, the client transmits credentials and other parameters in a TS_INFO_PACKET structure. Each field (username, password, domain, etc.) can be up to 512 bytes as UTF-16. The server's ts_info_utf16_in function converts to UTF-8 and stores them in fixed-size buffers of 512 bytes.

Despite intended overflow protection, the conversion process introduces a vulnerability: a UTF-16 string of maximum size can expand beyond 512 bytes after conversion to UTF-8. The function does not adequately check the output length, allowing data to spill over into adjacent fields. "This creates a classic buffer overflow condition," explains a Kaspersky security engineer. "An attacker can control the overwritten data to hijack execution flow."

Background

xrdp is a popular open-source implementation of Microsoft's Remote Desktop Protocol, widely used on Linux systems. Many organizations deploy it for remote access in thin client environments. Kaspersky USB Redirector is an add-on that lets users redirect local USB devices (flash drives, smart cards) to remote sessions securely.

Kaspersky routinely audits its products for security flaws. During a targeted assessment of USB Redirector last year, researchers stumbled upon the deeper xrdp flaw. They promptly reported it to the xrdp maintainers, who released fixes in version 0.10.5 and backported patches to 0.9.27 and 0.10.4.1. A security bulletin was also issued.

What This Means

This vulnerability is critical because it requires no user interaction and can be exploited before authentication. Any xrdp server that accepts unauthenticated RDP connections is potentially at risk. An attacker could gain full control of the server, access sensitive data, or pivot to internal networks.

"All xrdp users should upgrade to the patched versions immediately," urges the xrdp project maintainer via a public notice. "Even if you don't use Kaspersky USB Redirector, this flaw is in core xrdp code and affects all installations." Organizations using thin client solutions are especially urged to prioritize patching.

Recommendations

• Immediately upgrade xrdp to version 0.10.5 or later. If using older series, update to 0.9.27 or 0.10.4.1.
• If patching is delayed, restrict RDP access to trusted networks only or use VPN gateways.
• Monitor for suspicious log entries related to authentication failures or malformed RDP packets.
• All users, especially those deploying Kaspersky Thin Client or USB Redirector, should check for updates from Kaspersky as well.

For full technical details, refer to the [official CVE entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68670) and the xrdp security bulletin.