CVE-2025-68670: Critical Pre-Auth RCE in xrdp Exposes Linux Remote Desktop Servers

CVE-2025-68670 (a critical pre-authentication remote code execution vulnerability in xrdp, the most widely deployed open-source Remote Desktop Protocol server for Linux) carries a CVSS v3.1 score of 9.8 — the highest possible risk rating for a network-accessible flaw. Discovered by researchers at Kaspersky during a security audit of a Linux remote access tool, the vulnerability allows an unauthenticated attacker to execute arbitrary code on any reachable xrdp server before a login prompt is ever shown. Patches are available; unpatched xrdp servers exposed to the internet should be updated immediately.

CVE-2025-68670: Technical Details

CVE-2025-68670 is a stack-based buffer overflow (CWE-787 Out-of-bounds Write / CWE-121 Stack-based Buffer Overflow) in the xrdp_wm_parse_domain_information() function within xrdp's session management code. A stack-based buffer overflow occurs when a program writes more data into a fixed-size memory region on the call stack than that region can hold, overwriting adjacent memory including return addresses — giving an attacker control over what code executes next.

The flaw exists in how xrdp processes domain information submitted by a client during the initial RDP handshake. When the function receives a domain name that begins with an underscore (_), it attempts to copy data between the "_" and "__" markers into a fixed 256-byte stack buffer. However, the source data can reach up to 512 bytes after UTF-8 conversion is applied, and no bounds check prevents writing beyond the 256-byte boundary. This allows an attacker to overwrite stack memory and redirect execution to attacker-controlled shellcode.

Critically, xrdp_wm_parse_domain_information() executes before client authentication — meaning no credentials, no session token, and no prior access are required to trigger the vulnerability. Any host that can reach TCP port 3389 (the standard RDP port) on a vulnerable xrdp server can exploit CVE-2025-68670.

The CVSS 9.8 score (Critical — the highest severity tier, indicating a vulnerability that is trivially exploitable over the network without any authentication or user interaction, with full impact on confidentiality, integrity, and availability) reflects the attack vector precisely: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Each component of this vector matters:

• AV:N (Attack Vector: Network) — exploitable remotely
• AC:L (Attack Complexity: Low) — no special conditions required
• PR:N (Privileges Required: None) — no account needed
• UI:N (User Interaction: None) — fully automated exploitation possible
• C:H / I:H / A:H — complete compromise of confidentiality, integrity, and availability

Note: stack canary protections (a compiler mitigation that places a random value on the stack and checks it before function return, catching some overwrites) may reduce exploitability on builds compiled with canary support enabled. However, canaries are not a reliable defence against all exploitation techniques, particularly against information-disclosure chaining.

The vulnerability was discovered by Kaspersky researchers Denis Skvortsov and Dmitry Shmoylov during a security assessment of Kaspersky USB Redirector, a module that extends xrdp's functionality to redirect USB devices over remote desktop sessions. The researchers identified the flaw in the underlying xrdp server component and reported it to the xrdp maintainers through coordinated disclosure. The xrdp team responded promptly and issued patches.

Exploitation Status and Threat Landscape

CVE-2025-68670 does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog — the authoritative list maintained by the U.S. Cybersecurity and Infrastructure Security Agency tracking vulnerabilities confirmed to be actively exploited in real-world attacks — as of publication. No public proof-of-concept exploit code has been released.

However, the characteristics of CVE-2025-68670 make it a high-priority target. Pre-authentication RCE vulnerabilities in network-accessible services historically attract rapid weaponisation. The xrdp service is commonly reachable from the internet on managed Linux desktops, developer workstations, thin-client environments, and legacy server management setups. An attacker who chains CVE-2025-68670 with lateral movement tooling can pivot from unauthenticated network access to full server compromise with no user interaction required.

MITRE ATT&CK technique T1190 (Exploit Public-Facing Application — a standardised classification for attacks that exploit vulnerabilities in internet-accessible services to gain initial access to a network) is the applicable entry for CVE-2025-68670 exploitation.

Who Is Affected

All xrdp installations running versions prior to 0.10.5 are affected. This includes a significant portion of Linux systems that use xrdp for remote desktop access, as many distributions ship older xrdp packages in their long-term support repositories.

Distribution-specific patched versions:

| Distribution | Patched Package Version | |—|—| | Debian 12 (Bookworm / oldstable) | 0.9.21.1-1+deb12u2 | | Debian 13 (Trixie / stable) | 0.10.1-3.1+deb13u1 | | Ubuntu (all supported releases) | Check Ubuntu Security Notices | | RHEL / CentOS / AlmaLinux | Check vendor errata |

Upstream xrdp also backported the fix to version 0.9.27 and version 0.10.4.1 for deployments that cannot immediately move to 0.10.5. These backport releases are available from the xrdp GitHub releases page.

Organisations most at risk include:

• Enterprises running Linux VDI (Virtual Desktop Infrastructure) with internet-facing xrdp endpoints
• Managed service providers exposing xrdp for remote support
• Educational institutions and research labs with Linux desktops accessible externally
• Any server with xrdp bound to a public IP address without a VPN or jump-host requirement

What You Should Do Right Now

• Identify all xrdp instances in your environment. Run the following to check the installed version on each Linux host:

xrdp --version 2>&1 | head -1

Or for package-managed installations:

dpkg -l xrdp       # Debian/Ubuntu
rpm -q xrdp        # RHEL/CentOS/Fedora

• Update xrdp immediately. On Debian/Ubuntu:

sudo apt update && sudo apt install --only-upgrade xrdp

On RHEL/CentOS/Fedora, apply vendor errata via dnf update xrdp. For manually compiled installations, build from xrdp 0.10.5.

• If patching is not immediately possible, restrict access. Use firewall rules to limit xrdp (TCP 3389) access to trusted source IPs only:

sudo ufw allow from 192.168.1.0/24 to any port 3389 proto tcp
sudo ufw deny 3389

• Place xrdp behind a VPN or SSH tunnel. Never expose xrdp directly to the internet. Require users to authenticate to a VPN or establish an SSH tunnel before reaching the xrdp port.

• Monitor for exploitation attempts. Check xrdp logs at /var/log/xrdp.log and /var/log/xrdp-sesman.log for malformed domain field values or connection attempts that terminate at the domain-parsing stage. An anomalous spike in failed pre-auth connections is a potential exploitation indicator.

• Apply the patch in priority order. Systems with xrdp directly reachable from the internet (check with nmap -p 3389 <your-ip> from an external host) should be patched or isolated within 24 hours. Internal-only xrdp hosts should be patched within the next scheduled maintenance window.

Background: Understanding the Risk

xrdp is the dominant open-source implementation of Microsoft's Remote Desktop Protocol (RDP — a proprietary protocol developed by Microsoft that allows a user to connect to another computer over a network and interact with its desktop graphically) for Linux. Unlike Windows, which ships RDP support natively, Linux users rely on xrdp to enable graphical remote desktop access. The project is widely deployed: it ships in the default repositories of Debian, Ubuntu, Fedora, and most enterprise Linux distributions, making it a ubiquitous component in any organisation that provides GUI-based remote access to Linux systems.

Buffer overflow vulnerabilities in RDP implementations have a long and damaging history. Microsoft's own RDP stack suffered MS09-065 (MS-RDP-RCE) and the infamous BlueKeep (CVE-2019-0708) — a wormable pre-auth RCE that CISA and NSA issued emergency advisories about and which threat actors weaponised within months of disclosure. CVE-2025-68670 in xrdp follows the same structural pattern: a parsing flaw in the pre-authentication phase of the RDP handshake that enables remote code execution.

The key distinction from BlueKeep is that CVE-2025-68670 affects Linux systems specifically, and it requires the xrdp service to be network-accessible. Organisations that have already followed best practice and placed xrdp behind a VPN or SSH jump host are not directly exposed — but organisations that expose xrdp directly as a convenience measure for remote users face a critical-severity, unauthenticated RCE with no user interaction required.

The xrdp maintainers handled this disclosure professionally, issuing patches promptly after Kaspersky's responsible disclosure. The current risk falls entirely on administrators who have not yet applied those patches.

Conclusion

CVE-2025-68670 is a CVSS 9.8 Critical pre-authentication RCE in xrdp that requires no credentials and no user interaction to exploit. If your xrdp servers are reachable from untrusted networks, patch to xrdp 0.10.5 or apply your distribution's security update now. Restrict TCP 3389 to trusted sources immediately if patching is delayed. No active exploitation has been confirmed, but the vulnerability profile makes it a high-value target.