10 Critical Things to Know About the CVE-2025-68670 RCE Vulnerability in xrdp

In the world of remote desktop services, security is paramount. Recently, a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-68670, was uncovered within the xrdp server—a key component used by Kaspersky USB Redirector. This vulnerability could allow an attacker to execute arbitrary code before authentication, posing a severe threat. Below, we break down the ten essential facts you need to know about this flaw, from how it was discovered to how you can protect your systems.

1. The Role of Kaspersky USB Redirector in xrdp

Kaspersky USB Redirector is a module that extends the xrdp remote desktop server for Linux. It enables users of Kaspersky Thin Client to access local USB devices—like flash drives, smart cards, and printers—within a remote desktop session. While this connectivity is valuable, it also introduces the attack surface that security audits must scrutinize.

10 Critical Things to Know About the CVE-2025-68670 RCE Vulnerability in xrdp
Source: securelist.com

2. Discovery of the Vulnerability

During a routine security audit of Kaspersky USB Redirector last year, researchers from Kaspersky identified a previously unknown flaw in the xrdp server itself. Assigned CVE-2025-68670, this vulnerability is a remote code execution (RCE) bug that occurs in the Secure Settings Exchange phase, just before client authentication. The discovery underscores the importance of continuous security testing even in widely used open-source components.

3. The Affected Component: Secure Settings Exchange

Establishing an RDP connection involves multiple stages. The vulnerability is specifically tied to the Secure Settings Exchange, where the client sends protected credentials to the server. At this stage, the client transmits a Client Info PDU containing username, password, auto-reconnect cookies, and other data. The flaw lies in how xrdp processes this data before any authentication occurs.

4. The TS_INFO_PACKET Structure

The client bundles the credentials into a TS_INFO_PACKET structure. This packet holds fields like username, password, domain, program, and directory. Each field is a Unicode string with a maximum length of 512 bytes, including a null terminator. In xrdp’s code, these map to the xrdp_client_info structure, which uses fixed-size buffers defined by the constant INFO_CLIENT_MAX_CB_LEN (512).

5. Buffer Size Constraints

The xrdp_client_info structure allocates exactly 512 bytes per field. However, the incoming Unicode data is encoded as UTF-16. When converting to UTF-8—which the server does before storage—the resulting byte count can exceed 512 bytes for certain characters. This discrepancy sets the stage for a potential buffer overflow if the conversion is not handled carefully.

6. Unicode Conversion and the ts_info_utf16_in Function

The conversion from UTF-16 to UTF-8 is performed by the function ts_info_utf16_in. It receives the source stream, the number of bytes to read, the destination buffer, and its length. The function includes a call to s_check_rem_and_log to validate that the source stream has enough remaining data. While this check prevents reading beyond the stream, it does not fully protect against overflow when the UTF-8 output exceeds the destination size.

10 Critical Things to Know About the CVE-2025-68670 RCE Vulnerability in xrdp
Source: securelist.com

7. Root Cause: Insufficient Size Validation

The core of CVE-2025-68670 is that ts_info_utf16_in does not properly verify whether the converted UTF-8 string fits into the destination buffer. Although the function receives dst_len, the implementation may not account for the fact that UTF-16 characters can expand up to 3 bytes per character in UTF-8. An attacker can craft a username or domain field that, after conversion, overflows the fixed 512-byte buffer—leading to memory corruption.

8. Impact: Remote Code Execution

Successfully exploiting this overflow allows an unauthenticated attacker to execute arbitrary code on the target machine. Since the vulnerability is triggered before authentication, no valid credentials are required. The attacker can gain full control of the remote desktop server, potentially compromising the entire network. This qualifies as a critical severity issue under CVSS.

9. Responsible Disclosure and Patch

Kaspersky responsibly disclosed the vulnerability to the xrdp maintainers, who acted swiftly. The fix was released in xrdp version 0.10.5 and backported to versions 0.9.27 and 0.10.4.1. A security bulletin was also issued. The patch adds proper bounds checking during the UTF-16 to UTF-8 conversion, ensuring the destination buffer is never exceeded. Users are strongly advised to upgrade to one of these patched versions immediately.

10. Staying Protected: Best Practices

To defend against CVE-2025-68670 and similar threats, follow these steps:

  • Update xrdp to the latest patched version (0.10.5 or higher).
  • Verify backports for legacy installations (0.9.27 or 0.10.4.1).
  • Limit exposure by restricting RDP access to trusted networks or using firewalls.
  • Monitor for unusual activity in remote desktop logs.
  • Conduct regular security audits on all components in your thin client infrastructure.

Conclusion: The discovery of CVE-2025-68670 highlights how a seemingly small oversight in Unicode conversion can lead to catastrophic RCE. The prompt response from xrdp developers and Kaspersky’s responsible disclosure set a strong example. By staying updated and vigilant, you can keep your remote desktop environments secure.

Tags:

Recommended

Discover More

Saros and Pragmata Signal a Golden Age for Pure, Unapologetic Video GamesWindows 11 KB5083631 Optional Update: 34 Enhancements Including Xbox Mode and Batch File Security BoostNavigating the Federated Social Web: Your Guide to Linking Mastodon, Bluesky, and Beyond5 Lessons from GitHub's Rate Limiting Overreach: When Defenses Become the ProblemCan Claude’s Free Tier Outshine a Paid Gemini Subscription? My Surprising Test Results