CybersecurityVulnerability Management

xrdp Vulnerability Exposes Remote Code Execution Risk

Analyst 207||Source: SecureList
Laptop on a beige desk in a neutral office setting with soft daylight.

CVE-2025-68670 — a remote-code-execution flaw in the xrdp remote desktop server — was discovered last year during a security audit of Kaspersky USB Redirector, a module sold alongside Kaspersky Thin Client, and was patched by the xrdp project in January 2026.

What CVE-2025-68670 is, in plain terms

The vulnerability exists in xrdp’s handling of the client-supplied domain name before user authentication. During the Secure Settings Exchange phase of an RDP connection the client sends protected credentials and related strings inside a TS_INFO_PACKET; those strings are Unicode (UTF-16) up to 512 bytes and are converted on the server to UTF-8. The xrdp code defines INFO_CLIENT_MAX_CB_LEN as 512 and stores several client fields — including domain — in fixed buffers sized to that limit.

The specific bug occurs in the function xrdp_wm_parse_domain_information, which is called before authentication. That function writes portions of the domain string into a local stack buffer of 256 bytes (named resultBuffer) under certain conditions, creating the possibility of a stack-based buffer overflow when the converted UTF-8 domain fragment exceeds 256 bytes. Because this happens before authentication, exploitation does not require valid credentials.

How the overflow is created and why UTF-16→UTF-8 conversion matters

xrdp converts client-sent UTF-16 strings to UTF-8 using a conversion routine that allows up to 512 bytes of output. The domain string is accepted in UTF-16 and may become a differently sized UTF-8 string after conversion. The vulnerable code checks for a leading underscore in the domain and then copies the substring between that leading underscore and a subsequent double underscore (“__”) into a 256-byte stack buffer. If that substring (after conversion to UTF-8) exceeds 256 bytes, g_strncpy writes past the buffer and can overwrite stack data, including the return address.

The conversion and copying sequence in the code path is documented step-by-step: from the ts_info_utf16_in function that prepares the UTF-8 buffer, through in_utf16_le_fixed_as_utf8_proc which performs character-by-character conversion with checks for remaining output space and termination, to xrdp_wm_parse_domain_information which performs the final copy into the 256-byte result buffer. The mismatch between a possible 512-byte UTF-8 domain and a 256-byte destination is the root cause.

Proof-of-concept, crash evidence, and practical exploit constraints

Kaspersky published a proof-of-concept RDP file used to demonstrate the issue. The file points Microsoft’s Remote Desktop client (mstsc.exe) at an xrdp server (IP 172.22.118.7 in the example) and supplies a crafted domain name that forces an overflow; the PoC used a sequence of the Cyrillic letter K (U+041A) to align and overwrite the return address with the string “AAAAAAAA”.

A gdb backtrace captured at crash time shows the application terminating during a stack canary check with the overwritten return-address region containing repeated 0x41 bytes (ASCII “A”), consistent with a classic stack buffer overflow that corrupts control flow. The report notes that many compilers enable stack canaries by default; while canaries can prevent simple overwrite-and-return exploitation, they are not a complete defence because an attacker could attempt to discover or bypass the canary.

Patching and disclosure timeline

Kaspersky submitted the report to the xrdp project on 12/05/2025 via the xrdp GitHub security channel; maintainers confirmed receipt the same day. Investigation and prioritization began on 12/15/2025, active patch development started on 12/18/2025, and the issue received the identifier CVE-2025-68670 on 12/24/2025. The patch was merged into the main branch on 01/27/2026. The xrdp project fixed the issue in version 0.10.5 and backported the fix to versions 0.9.27 and 0.10.4.1, and issued a security bulletin.

What this means for Kaspersky Thin Client customers, xrdp administrators, and open-source maintainers

  • Kaspersky Thin Client customers who use the Kaspersky USB Redirector module should treat this as a server-side xrdp vulnerability discovered during a Kaspersky audit; the immediate action is to ensure xrdp instances are updated to the patched releases listed by the project.
  • xrdp administrators need to apply the patch or upgrade to xrdp 0.10.5 (or the backported releases 0.9.27 / 0.10.4.1) because the flaw is exploitable prior to authentication and targets a common input field (the domain). Relying solely on compiler-enabled stack canaries is discouraged by the xrdp maintainers.
  • Open-source maintainers and projects integrating xrdp should note the value of coordinated disclosure: Kaspersky reported the issue, and the maintainers produced rapid fixes and a security bulletin, demonstrating the practical benefit of audits and coordinated response.

Conclusion: CVE-2025-68670 is a straightforward stack-overflow bug born of an input-size mismatch across a UTF-16-to-UTF-8 conversion and a fixed-size local buffer. It was responsibly disclosed by Kaspersky and patched by the xrdp project; operators should install the patched releases and heed the maintainers’ advice not to treat compiler protections as a sole mitigation.

Original report — securelist.com

Emerging ThreatsKasperskyRemote Code ExecutionVulnerability ManagementRDPXrdpCVE-2025-68670
Related Intelligence

Continue Reading

Blurred office interior with computer workstations and a glass paperweight on a shelf.

UK Museums Exposed to Rising Cybersecurity Threats

The UK's cultural treasures are under threat from rising cybersecurity risks, with a recent report criticizing the Department for Culture, Media and Sport for being reactive rather than proactive in protecting national galleries and museums. This vulnerable stance puts priceless artifacts and historical exhibits at risk of being compromised.

Analyst 207
Person sitting at laptop with system restore interface on screen, hands paused on keyboard.

Microsoft Rolls Out Windows 11 Update with Point-in-Time Restore Feature

Microsoft's latest Windows 11 update is here, bringing with it a game-changing feature: Point-in-time restore, which lets you snap your PC back to a previous state in just minutes. With this update, you can easily turn back the clock and get your computer up and running smoothly again.

Analyst 207
Dimly lit network server room with rows of generic computer servers and equipment racks.

Squidbleed Vulnerability Exposes Decade-Old Flaw in Popular Proxy Server

A 29-year-old memory leak in the popular Squid proxy server, dubbed Squidbleed, could silently expose sensitive data, including login credentials and session tokens, to hackers in certain setups. This shocking vulnerability, rooted in a 1997 code commit, highlights the importance of regularly updating and securing even the most trusted systems.

Analyst 207
Secure server room with rows of computer servers and networking equipment.

Trump Order Accelerates Federal Post-Quantum Crypto Migration by 2030

The clock is ticking: by December 31, 2030, federal agencies must upgrade their cryptography to protect high-value assets from the looming threat of quantum computers, with digital signatures following suit by December 31, 2031. This executive order accelerates the migration to post-quantum cryptography, compressing the government's previous timeline by four to five years.

Analyst 207