CVE-2025-68670: Pre-auth RCE Vulnerability Identified in xrdp Server Domain Field

Kaspersky researchers have released a detailed technical analysis of CVE-2025-68670, a critical Remote Code Execution (RCE) vulnerability affecting the open-source xrdp server. The flaw originates in the handling of initial connection packets, allowing an unauthenticated attacker to execute arbitrary code on the target system. The discovery occurred during a security audit conducted by Kaspersky researchers on the Kaspersky USB Redirector product.

The vulnerability transforms an ostensibly benign RDP protocol element—the domain name—into a direct attack vector. By exploiting a discrepancy between allocated buffer sizes and copy limits defined in the source code, a malicious actor can trigger a stack buffer overflow. Because this error occurs during the earliest stages of communication, the entire attack can be completed before the client is prompted for credentials.

Analyzing the resultIP Buffer Overflow

The technical core of CVE-2025-68670 lies in how xrdp interprets domain information sent by the client. During session initialization, the server calls the xrdp_wm_parse_domain_information function to extract and process the domain name. In this code block, a stack buffer named resultIP is declared with a fixed size of 256 bytes.

A critical programming error emerges in the application of the g_strncpy copy function. Researchers observed that the server is configured to accept and copy up to 512 bytes from the domain name field into the buffer. Since 512 bytes significantly exceed the 256 bytes allocated for resultIP, the copy operation writes past the buffer's boundaries, corrupting the memory space reserved for other variables on the thread stack.

This uncontrolled overwrite has immediate consequences for process stability and security. The excess data can modify memory pointers and, as highlighted by technical analysis, potentially alter the thread's return address. If an attacker successfully controls the return address value, they can divert the execution flow toward arbitrary instructions, gaining control of the underlying operating system with the privileges of the xrdp process.

The complexity of the attack is tied to character encoding management. The RDP protocol typically transmits the domain name in UTF-16, which the server subsequently converts to UTF-8. An attacker can construct a string that expands during conversion to saturate and exceed the 256-byte buffer, utilizing specific delimiters like single underscores '_' and double underscores '__' to manipulate the malicious parsing.

The resultIP buffer measures 256 bytes, but the g_strncpy function allows for writing up to 512 bytes, creating a potential 256-byte overflow directly on the stack.

Exploiting the Pre-Authentication Flaw

One of the most alarming aspects of CVE-2025-68670 is its pre-authentication nature. In the xrdp execution flow, the vulnerable xrdp_wm_parse_domain_information function is invoked very early during the handling of connection setup parameters. Kaspersky documented the call stack, demonstrating that this code branch executes before the server requests or verifies the user's identity (username and password).

This architectural placement removes the requirement for brute-force attacks or credential theft. A malicious user simply needs to send an RDP connection packet with a specifically crafted domain field. While attempting to process this information to prepare the login environment, the server inadvertently triggers the overflow before establishing whether the client is authorized to access resources.

To confirm the severity of the issue, researchers developed a Proof-of-Concept (PoC) based on a modified .rdp file. During testing, sending this file to a vulnerable server caused an immediate crash. Debugger analysis (gdb) revealed that the system attempted to terminate the process due to stack corruption, confirming that attacker-supplied data had successfully reached and overwritten sensitive memory areas.

Compiler Protections and Stack Canaries

The ability to weaponize this overflow into reliable code execution depends heavily on active compiler-level protections. Kaspersky emphasizes that most modern compilers enable "stack canary" protection by default. This technology inserts a random value (the canary) between the buffer and the return address; if the canary is modified by an overflow, the system detects the intrusion and terminates the program.

In laboratory tests, the PoC triggered a __stack_chk_fail (stack smashing detected) error, proving that the canary prevented a direct and simple overwrite of the return address. However, the existence of this protection does not render the vulnerability irrelevant. In specific environments, such as embedded systems or distributions with custom builds where these protections might be disabled for performance optimization, the risk of immediate RCE is extremely high.

Furthermore, cybersecurity history demonstrates that stack canaries are not an absolute defense against determined attackers. Advanced techniques exist to bypass such protections, particularly when an attacker maintains precise control over the overwritten data. CVE-2025-68670 provides a stable overflow primitive that could be utilized as part of a more complex exploit chain to circumvent compiler defenses.

Mitigation and Security Recommendations

Given the pre-authentication nature of the flaw and the public availability of technical details, immediate action is required to secure exposed xrdp servers. Recommendations focus on software updates and attack surface reduction.

• Immediate xrdp Package Update: Install version 0.10.5 or higher. Maintainers released this version specifically to address the buffer overflow.
• Apply Backports: If upgrading to 0.10.5 is not feasible, verify the installation of versions 0.9.27 or 0.10.4.1, which include backward-compatible security patches to mitigate CVE-2025-68670.
• Verify Binary Hardening: Administrators compiling xrdp from source must ensure that -fstack-protector-strong or equivalent options are active to guarantee the canary mechanism is present in the final binary.
• Restrict Network Access: Because this is a pre-auth vulnerability, any system capable of reaching the xrdp TCP port (typically 3389) can attempt exploitation. It is recommended to restrict access via firewalls or VPNs, avoiding direct exposure to the public internet.

In the absence of these measures, systems remains vulnerable to Denial of Service (via process crashes) or, in less protected configurations, full remote compromise. Monitoring logs for connection attempts that result in xrdp service restarts may serve as an indicator of ongoing malicious activity.

In conclusion, CVE-2025-68670 serves as a critical reminder of the risks associated with string and encoding management in C. The assumption that a field such as a domain name cannot cause harm led to a classic overflow error that now threatens the security of thousands of Linux servers using xrdp for remote access. Rapid patching remains the only effective defense against this specific vector.

Editorial Note: This analysis is based exclusively on the technical report provided by Kaspersky. At the time of writing, there is no independent confirmation from other vendors or external researchers regarding the replicability of canary bypasses or evidence of active exploitation in real-world scenarios outside of research laboratories.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://securelist.com/cve-2025-68670/119742/