Understanding CVE-2025-68670: A Remote Code Execution Vulnerability in xrdp

Kaspersky's security team recently discovered a critical remote code execution (RCE) vulnerability in xrdp, the open-source Remote Desktop Protocol server for Linux. This flaw, tracked as CVE-2025-68670, was found during a security audit of the Kaspersky USB Redirector, an add-on for Kaspersky Thin Client that allows remote access to USB devices. Below, we break down the key details in a question-and-answer format.

1. What is xrdp and how does Kaspersky USB Redirector relate to it?

# xrdp is an open-source implementation of Microsoft's Remote Desktop Protocol (RDP) for Linux systems, enabling remote desktop connections. Kaspersky USB Redirector is a module that extends xrdp's capabilities, allowing users of Kaspersky Thin Client to access local USB devices—such as flash drives, smart cards, and printers—within a remote desktop session. This integration provides seamless peripheral support while maintaining connection security. However, during a routine security audit of the USB Redirector, the Kaspersky team identified a vulnerability in xrdp itself, not in the redirector module.

Understanding CVE-2025-68670: A Remote Code Execution Vulnerability in xrdp — Source: securelist.com

2. What is CVE-2025-68670 and how was it discovered?

# CVE-2025-68670 is a remote code execution vulnerability in xrdp that was uncovered during Kaspersky's security assessment of their USB Redirector product. The flaw lies in how xrdp handles the Secure Settings Exchange phase of an RDP connection, specifically when processing the Client Info PDU. By sending a specially crafted packet, an attacker could trigger a buffer overflow, leading to arbitrary code execution on the server. Kaspersky responsibly disclosed the issue to the xrdp maintainers, who acted swiftly to release a fix in version 0.10.5, with backports to 0.9.27 and 0.10.4.1.

3. How does the RDP client data transmission lead to the vulnerability?

# During an RDP connection setup, the client and server exchange settings through multiple stages. The vulnerability surfaces in the Secure Settings Exchange, which occurs just before authentication. The client sends a Client Info PDU containing a TS_INFO_PACKET structure with fields like username, password, and domain. These are Unicode strings limited to 512 bytes, with a required null terminator. In xrdp's code, these strings are stored in a xrdp_client_info structure using fixed-size buffers of 512 characters (INFO_CLIENT_MAX_CB_LEN). When the server converts the UTF-16 encoded data to UTF-8, a mismatch in buffer sizing can cause a buffer overflow if the conversion expands the data beyond the expected length.

4. Why does the UTF-16 to UTF-8 conversion create a security risk?

# The vulnerability exploits the discrepancy between source and target encoding sizes. The client sends strings in UTF-16, where each character occupies 2 bytes. The server uses the ts_info_utf16_in function to convert these to UTF-8, which can represent characters in 1 to 4 bytes. The function accepts the source byte count and the destination buffer length (512 bytes). Although ts_info_utf16_in includes a bounds check (s_check_rem_and_log), it only verifies that the source data fits within the stream. It does not account for the fact that UTF-16 to UTF-8 conversion may produce more bytes than the source, especially for characters outside the ASCII range. An attacker can craft a UTF-16 string that, when converted, exceeds the 512-byte destination buffer, overwriting adjacent memory and enabling remote code execution.

5. What are the potential impacts of exploiting this vulnerability?

# Successful exploitation of CVE-2025-68670 could allow an unauthenticated remote attacker to execute arbitrary code on the xrdp server. This grants full control over the server, including the ability to install malware, steal data, or use the compromised system as a pivot for further attacks. Since xrdp often runs on servers serving multiple thin clients, a single exploit could compromise an entire enterprise environment. The vulnerability is particularly dangerous because it occurs before authentication, meaning no valid credentials are required to trigger it.

6. How was the vulnerability fixed and what versions are affected?

# The xrdp project maintainers addressed CVE-2025-68670 by modifying the ts_info_utf16_in function to properly calculate the maximum possible output size during the UTF-16 to UTF-8 conversion. They also added additional bounds checks to ensure the destination buffer cannot be exceeded. The fix was released in xrdp version 0.10.5, with backports to versions 0.9.27 and 0.10.4.1. All earlier versions are considered vulnerable. Users running older releases should update immediately to one of these patched versions.

7. What steps can users take to protect themselves?

# The primary recommendation is to upgrade xrdp to version 0.10.5, 0.9.27, or 0.10.4.1 as soon as possible. If an immediate upgrade is not feasible, administrators should restrict network access to the xrdp server (port 3389 by default) to trusted IP ranges only, using firewalls or VPNs. Additionally, monitoring logs for unusual RDP connection attempts can help detect exploitation attempts. For users of Kaspersky USB Redirector, ensure that the underlying xrdp installation is patched, as the redirector depends on xrdp's security.

Tags: