CVE-2025-68670
Published: 27 January 2026
Description
xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote…
more
attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific stack-based buffer overflow flaw in xrdp by upgrading to version 0.10.5, which patches the improper bounds checking.
Mandates validation of incoming user domain information during RDP connection sequences to enforce bounds checking and prevent buffer overflows.
Deploys memory protection mechanisms like stack canaries to mitigate exploitation of the stack buffer overflow, though a secondary leak may be needed to bypass.
Security SummaryAI
CVE-2025-68670 is an unauthenticated stack-based buffer overflow vulnerability affecting xrdp, an open source Remote Desktop Protocol (RDP) server, in versions prior to v0.10.5. The flaw arises from improper bounds checking when processing user domain information during the connection sequence, enabling attackers to overwrite the stack buffer and return address to potentially redirect execution flow. Associated with CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
Remote, unauthenticated attackers can exploit this vulnerability over the network by sending specially crafted connection requests containing malicious user domain data. Successful exploitation could allow arbitrary code execution on the target system with the privileges of the xrdp process, potentially leading to full system compromise. The impact is partially mitigated if xrdp was compiled with stack canary protection, as this would require a secondary vulnerability to leak the canary value before control flow hijacking.
Advisories recommend upgrading to xrdp v0.10.5, which includes a patch addressing the bounds checking issue, as detailed in the project's GitHub security advisory (GHSA-rwvg-gp87-gh6f), release notes, and the specific commit (488c8c7d4d189514a366cd8301b6e816c5218ffa). Debian LTS announcements also cover the issue for affected distributions. Production systems should not rely solely on stack canary protections for defense.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated stack-based buffer overflow in public-facing xrdp RDP server enables remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.