Kaspersky researchers discovered CVE-2025-68670, a pre-authentication remote code execution vulnerability in the xrdp Linux remote desktop server. The flaw exists in the xrdp_wm_parse_domain_information function, which processes domain names before client authentication. A crafted domain name starting with an underscore can overflow a 256-byte stack buffer when the domain name (up to 512 bytes in UTF-8) is written into it, potentially overwriting the return address. Exploitation is possible without valid credentials. Stack canaries provide partial mitigation but are not sufficient on their own. The vulnerability was patched in xrdp versions 0.10.5, 0.9.27, and 0.10.4.1 following responsible disclosure. A PoC using a specially crafted RDP file with Cyrillic characters to trigger the overflow is demonstrated.
Table of contents
Client data transmission via RDPCVE-2025-68670: an RCE vulnerability in xrdpPoCProtection against vulnerability exploitationVulnerability remediation timelineConclusionSort: