Understanding CVE-2025-68670: An RCE Vulnerability in xrdp Server
During a routine security audit of Kaspersky USB Redirector—a module that extends the xrdp remote desktop server to allow access to local USB devices in remote sessions—our team uncovered a serious vulnerability: CVE-2025-68670. This remote code execution (RCE) flaw in xrdp could allow an attacker to execute arbitrary code on a target system. We reported it to the xrdp maintainers, who swiftly addressed the issue in version 0.10.5, with backports to versions 0.9.27 and 0.10.4.1. This article breaks down the vulnerability in a Q&A format, explaining how it works, why it matters, and how to stay protected.
1. What is CVE-2025-68670 and how was it discovered?
CVE-2025-68670 is a remote code execution vulnerability found in the xrdp server, which is widely used to enable Remote Desktop Protocol (RDP) connections on Linux systems. It was uncovered in the second half of 2024 during a security audit of Kaspersky USB Redirector—a tool that lets thin clients access local USB devices like flash drives, smart cards, and printers within an RDP session. While analyzing how xrdp handles client credentials during connection setup, our researchers identified a buffer overflow condition that could be exploited to inject and execute malicious code. Maintainers were notified and released fixes quickly, updating to version 0.10.5 and patching earlier supported releases.
2. What role does Kaspersky USB Redirector play in this context?
Kaspersky USB Redirector is a commercial module that enhances the functionality of xrdp, an open-source RDP server for Linux. It allows remote desktop users to seamlessly access USB devices attached to the thin client—such as tokens, flash drives, smart cards, and printers—while maintaining encryption and security. Because this module works directly with xrdp, any vulnerability in the underlying server could affect users of Kaspersky Thin Client and other xrdp-based solutions. The discovery of CVE-2025-68670 during a security audit of the redirector underscores how even well-maintained tools can have hidden flaws and the importance of routine security assessments.
3. How does the RDP Secure Settings Exchange relate to the vulnerability?
Establishing an RDP connection involves multiple stages, one of which is the Secure Settings Exchange occurring just before user authentication. During this phase, the client sends a Client Info PDU (protocol data unit) containing sensitive data: username, password, auto-reconnect cookies, and more. This information is packaged into a TS_INFO_PACKET structure. The vulnerability exploited is tied to how xrdp processes these packets. If an attacker can craft a malicious client info packet with specially sized strings, they can trigger a buffer overflow in the xrdp server, leading to arbitrary code execution. Essentially, the flaw lies in the way xrdp validates and handles the length of credential fields during the exchange.
4. What is the TS_INFO_PACKET structure and how does it contribute to the bug?
In xrdp’s code, client credentials are stored in a structure called xrdp_client_info, which includes fields such as username, password, domain, program, and directory, each defined as a character array of size INFO_CLIENT_MAX_CB_LEN (512 bytes). When the client sends these fields over the network, they come as Unicode (UTF-16) strings, but the server converts them to UTF-8 before storing. The conversion function ts_info_utf16_in receives a destination buffer size (512 bytes) and reads src_bytes from the stream. The bug occurs when the UTF-16 input contains a null terminator placed beyond the expected length—causing the server to read past the allocated memory, overflowing the buffer. This overflow can overwrite adjacent data structures, enabling remote code execution.
5. How does the UTF-16 to UTF-8 conversion lead to a buffer overflow?
The conversion function ts_info_utf16_in is supposed to protect against overflow by checking the remaining data in the stream against the requested bytes. However, the vulnerability arises from a subtle mismatch: the incoming UTF-16 string can be up to 512 bytes (including a null terminator), but after conversion to UTF-8, the resulting string might require more than 512 bytes because UTF-8 can expand certain characters. The function does not account for this expansion. If the source UTF-16 string is deliberately crafted with characters that become longer in UTF-8, the server copies a larger string into the fixed-size buffer, causing a buffer overflow. This uncontrolled write can corrupt memory, potentially allowing an attacker to inject and execute shellcode remotely.
6. What is the fix and how were users protected?
Upon receiving our report, the xrdp development team acted quickly. The vulnerability was patched in xrdp version 0.10.5, and the fix was backported to the stable branches 0.9.27 and 0.10.4.1. The patch ensures that the UTF-16 to UTF-8 conversion properly checks the available space in the destination buffer, including a safety margin for expansion. A security bulletin was published advising all users to update to these patched versions. Because Kaspersky USB Redirector relies on xrdp, users of Kaspersky Thin Client were also urged to apply the updates. As always, keeping software up to date is the primary defense against such vulnerabilities.
7. What recommendations for staying protected?
- Update xrdp immediately: If you are running xrdp version 0.9.x or 0.10.x, upgrade to 0.9.27, 0.10.4.1, or 0.10.5 (or later).
- Enable network segmentation: Limit RDP access to trusted networks and use VPNs or firewalls to reduce exposure.
- Monitor for unusual activity: Keep logs of RDP connections and watch for anomalies that might indicate exploitation attempts.
- Apply vendor patches: If you use Kaspersky Thin Client or USB Redirector, ensure they are updated with the patched xrdp versions.
- Restrict USB redirect usage: Only allow authorized users and devices to use USB redirection if it’s not essential.
Following these practices helps minimize the risk from this and similar vulnerabilities.
8. What can we learn from this vulnerability?
CVE-2025-68670 highlights the importance of careful buffer handling when converting between character encodings—a common source of security flaws. It also demonstrates the value of regular security audits, even for mature open source projects like xrdp. For organizations using remote desktop solutions, this serves as a reminder that every component in the stack (from the RDP server to optional modules like USB Redirector) can be a potential attack surface. By staying proactive with patches and employing defense-in-depth strategies, you can significantly reduce the chance of exploitation. The responsible disclosure process also shows how collaboration between vendors and open-source maintainers can quickly protect users.