Critical RCE Vulnerability Discovered in xrdp – Patch Now (CVE-2025-68670)

Breaking: Critical xrdp RCE Vulnerability (CVE-2025-68670) Patched

A critical remote code execution (RCE) vulnerability has been uncovered in the xrdp remote desktop server for Linux. Tracked as CVE-2025-68670, the flaw was discovered by Kaspersky researchers during a security audit of their USB Redirector module. An unauthenticated attacker could exploit this vulnerability to execute arbitrary code on affected systems, potentially taking over thin clients or servers.

The xrdp project has released patches in versions 0.10.5, 0.9.27, and 0.10.4.1. Kaspersky has also updated its USB Redirector to incorporate the fix. Users are urged to apply these updates immediately.

What Happened?

“This vulnerability could enable attackers to take over thin client devices without any prior access,” said a Kaspersky security researcher. “We encourage all users to update immediately.” The flaw was reported responsibly to the xrdp maintainers, who responded quickly with fixes and a security bulletin.

The vulnerability lies in the Secure Settings Exchange phase of an RDP connection, which occurs before authentication. During this phase, the client sends a Client Info PDU containing credentials (username, password, domain) as Unicode strings up to 512 bytes. The server converts these from UTF-16 to UTF-8, but a buffer overflow can occur when the converted data exceeds the allocated 512-byte buffer. This can lead to memory corruption and arbitrary code execution.

The vulnerable code is in the ts_info_utf16_in function, which is meant to protect against overflow but fails under certain conditions. The flaw affects all xrdp versions prior to the patched releases.

Background

xrdp is a widely used open-source implementation of Microsoft’s RDP protocol. It enables Linux-based thin clients to connect to Windows or other remote desktops. Kaspersky integrates xrdp into its Kaspersky USB Redirector module, which allows secure redirection of USB devices such as flash drives, tokens, and printers during remote sessions.

The vulnerability was discovered during a routine security audit of Kaspersky USB Redirector. “We take security seriously and regularly assess our products,” the researcher noted. “This find highlights the need for constant vigilance in third-party components.”

What This Means

System administrators must prioritize updating xrdp to patched versions (0.10.5, 0.9.27, or 0.10.4.1). Since the exploit requires no authentication, any attacker who can initiate an RDP connection could potentially exploit it. Users of Kaspersky Thin Client and USB Redirector should also apply the latest updates from Kaspersky.

“This vulnerability underscores the importance of securing remote desktop infrastructure,” the researcher added. “Unpatched systems are at high risk of compromise.” Organizations should also consider network-level controls to limit RDP exposure until patches are applied.

Action Items:

• Update xrdp to version 0.10.5 or apply backported patches to 0.9.27 and 0.10.4.1.
• Update Kaspersky USB Redirector to the latest version.
• Restrict RDP access to trusted networks if immediate patching is not possible.

For more details, see the project’s security advisory.