Welcome to this comprehensive Q&A on CVE-2025-68670, a remote code execution vulnerability discovered in the xrdp remote desktop server. This flaw was identified during a security audit of Kaspersky USB Redirector, a tool that extends xrdp for secure USB device access in remote sessions. Below, we break down the vulnerability, its impact, and the steps taken to mitigate it.
1. What is xrdp and why is it important for remote desktop users?
xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP) for Linux-based systems. It allows users to connect to a Linux desktop from any RDP client (e.g., Windows Remote Desktop). It is widely used in enterprise environments, especially in thin client setups like Kaspersky Thin Client, because it offers a reliable, cross-platform remote access solution. The server handles authentication, session management, and data transfer, making its security critical. A vulnerability in xrdp could expose sensitive data or allow attackers to execute arbitrary code on the server, compromising both the host and any connected resources.
2. What role does Kaspersky USB Redirector play in this context?
Kaspersky USB Redirector is a module that enhances xrdp by enabling access to local USB devices—such as flash drives, smart cards, tokens, and printers—within a remote desktop session. It is designed for Kaspersky Thin Client users who need to work with USB peripherals securely. The module integrates with xrdp's remote desktop capabilities, ensuring that all data transfer remains encrypted and controlled. During a routine security audit of this module, Kaspersky researchers discovered the underlying RCE vulnerability in xrdp itself, highlighting how third-party tools can inadvertently expose flaws in base software.
3. What is CVE-2025-68670, and how severe is it?
CVE-2025-68670 is a remote code execution vulnerability in xrdp that received a high severity rating. It affects the Secure Settings Exchange phase of an RDP connection, which occurs before client authentication. An attacker capable of establishing an RDP session (or tricking a client into connecting to a malicious server) could exploit this bug to overwrite memory and execute arbitrary code. The vulnerability was discovered by Kaspersky's security team and responsibly disclosed to the xrdp project maintainers. They promptly released patches in versions 0.10.5, with backports to 0.9.27 and 0.10.4.1, along with a security bulletin.
4. How does the vulnerability work? Can you explain the technical details?
During Secure Settings Exchange, the client sends credentials and settings inside a Client Info PDU, using a TS_INFO_PACKET structure. This packet includes fields like username, password, domain, program, and directory, each stored as UTF-16 strings with a maximum length of 512 bytes (including a null terminator). On the server side, xrdp converts these UTF-16 strings to UTF-8 using the ts_info_utf16_in function. However, a UTF-16 string of up to 512 bytes can expand to as much as 1024 bytes when converted to UTF-8 (since each 16-bit code unit may become up to 3 UTF-8 bytes). The destination buffer for the UTF-8 string is only 512 bytes, defined by the constant INFO_CLIENT_MAX_CB_LEN. This discrepancy leads to a buffer overflow: the conversion can write beyond the allocated buffer, corrupting adjacent memory. A skilled attacker can craft a malicious payload that exploits this overflow to achieve remote code execution.
5. How was the vulnerability fixed, and what should users do to stay protected?
The xrdp maintainers fixed CVE-2025-68670 by updating the conversion logic to properly check the maximum UTF-8 output size and truncate or reject overlong inputs. The patch was included in xrdp version 0.10.5, and backported to versions 0.9.27 and 0.10.4.1. Users are strongly advised to upgrade to these patched versions immediately. For those running Kaspersky Thin Client or Kaspersky USB Redirector, ensure that the underlying xrdp installation is updated. Additionally, restrict RDP access to trusted networks and use strong authentication to minimize exposure. Regularly monitoring security bulletins from both xrdp and Kaspersky is recommended.
6. Were there any other vulnerabilities found during the Kaspersky audit?
The Kaspersky security team's audit focused on Kaspersky USB Redirector, but during their investigation, they specifically identified and reported CVE-2025-68670 in xrdp. The audit did not disclose other vulnerabilities in the USB Redirector module itself, as the primary finding was this server-side flaw. However, such audits demonstrate the importance of continuously testing third-party integrations for security weaknesses. Kaspersky's responsible disclosure and the swift response from xrdp maintainers underscore the effectiveness of coordinated vulnerability management.