Breaking: Remote Code Execution Vulnerability in xrdp Puts Thin Clients at Risk
A severe remote code execution (RCE) vulnerability — tracked as CVE-2025-68670 — has been discovered in the xrdp remote desktop server, a core component of many Linux-based thin client solutions. The flaw allows an attacker to execute arbitrary code on the server before authentication, potentially compromising sensitive data.
Security researchers at Kaspersky uncovered the bug during a routine audit of their USB Redirector module, which extends xrdp functionality. They reported it to the xrdp maintainers, who quickly released patches in versions 0.10.5, 0.9.27, and 0.10.4.1. "The response was swift, but users must apply the update immediately," said a Kaspersky threat researcher.
How the Attack Works
The vulnerability lies in the Secure Settings Exchange phase of the RDP connection, which occurs just before client authentication. During this stage, the client sends a Client Info PDU containing credentials and other data in a TS_INFO_PACKET structure. These fields — username, password, domain, program, and directory — are Unicode strings up to 512 bytes, with a required null terminator.
In xrdp’s code, these are stored in a buffer of size INFO_CLIENT_MAX_CB_LEN (512 characters). However, the conversion from UTF-16 to UTF-8 can cause a buffer overflow if the input is crafted maliciously. The function ts_info_utf16_in was intended to protect against overflows, but a flaw in its length check enables the bypass. "An attacker can send a specially crafted client info packet to overflow the buffer and gain code execution," explained the researcher.
Background: xrdp and Thin Client Security
xrdp is an open-source remote desktop protocol server for Linux, widely used in enterprise thin client environments to provide remote access to Windows-like desktops. Kaspersky Thin Client and Kaspersky USB Redirector rely on xrdp to enable secure access to local USB devices like flash drives, smart cards, and printers during remote sessions.
This vulnerability affects any xrdp installation prior to the patched versions. Because the exploit occurs pre-authentication, it does not require valid credentials. "This is a critical finding because it bypasses authentication entirely," the researcher noted. Kaspersky's security audit was part of their ongoing commitment to product safety, and they emphasize that all users of xrdp should upgrade without delay.
What This Means for Users and Administrators
If left unpatched, CVE-2025-68670 could allow a remote, unauthenticated attacker to take full control of an xrdp server. In thin client deployments, this could lead to data exfiltration, lateral movement, or installation of backdoors. Organizations using Kaspersky USB Redirector or any xrdp-based solution should:
- Update xrdp to version 0.10.5 (or 0.9.27/0.10.4.1 for backported fixes) immediately.
- Restrict network access to the xrdp service (port 3389) using firewalls or VPNs.
- Monitor logs for unusual connection attempts before authentication.
Kaspersky has released a security bulletin with full details. For a deep dive into the technical exploit, read the analysis. The vulnerability was responsibly disclosed, and no active exploitation has been confirmed yet — but urgency is paramount. "The window for attackers to reverse-engineer the patch and create exploits is now open," the researcher warned.