CVE-2025-68670 – CVE-2025-68670 is an unauthenticated stack-base... (How to Fix)

Q: What is the severity of CVE-2025-68670?

CVE-2025-68670 has a CVSS score of 9.1 (CRITICAL). CVE-2025-68670 is an unauthenticated stack-based buffer overflow vulnerability in xrdp (open source RDP server) that allows remote attackers to execute arbitrary code on affected systems. The vulnerability occurs during connection sequence processing when user domain information isn't properly bounds-checked. All xrdp installations before version 0.10.5 are affected.

📋 TL;DR

CVE-2025-68670 is an unauthenticated stack-based buffer overflow vulnerability in xrdp (open source RDP server) that allows remote attackers to execute arbitrary code on affected systems. The vulnerability occurs during connection sequence processing when user domain information isn't properly bounds-checked. All xrdp installations before version 0.10.5 are affected.

💻 Affected Systems

Products:

xrdp

Versions: All versions before v0.10.5

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All default xrdp configurations are vulnerable. Stack canary protection may reduce impact but doesn't eliminate vulnerability.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Xrdp by Neutrinolabs

View all CVEs affecting Xrdp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to system compromise, though stack canary protection may cause crashes instead of successful exploitation.

🟢

If Mitigated

Application crash (denial of service) if stack canary protection is enabled and properly configured.

🌐 Internet-Facing: HIGH - xrdp is typically exposed to the internet for remote access, making exploitation trivial for attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires network access to the xrdp service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Unauthenticated remote exploitation with public details available. Stack canary bypass would increase complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.10.5

Vendor Advisory: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f

Restart Required: Yes

Instructions:

1. Stop xrdp service: 'sudo systemctl stop xrdp' 2. Update xrdp: 'sudo apt update && sudo apt upgrade xrdp' (Debian/Ubuntu) or use your distribution's package manager 3. Verify version: 'xrdp --version' should show 0.10.5 or higher 4. Restart service: 'sudo systemctl start xrdp'

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to xrdp service using firewall rules to only trusted IP addresses

sudo iptables -A INPUT -p tcp --dport 3389 -s TRUSTED_IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 3389 -j DROP

🧯 If You Can't Patch

Disable xrdp service immediately and use alternative remote access solutions
Implement strict network segmentation and firewall rules to isolate xrdp servers

🔍 How to Verify

Check if Vulnerable:

Check xrdp version: 'xrdp --version' or 'dpkg -l | grep xrdp' (Debian/Ubuntu). If version is below 0.10.5, system is vulnerable.

Check Version:

xrdp --version

Verify Fix Applied:

Verify xrdp version is 0.10.5 or higher: 'xrdp --version' should return 'xrdp 0.10.5' or higher.

📡 Detection & Monitoring

Log Indicators:

Multiple failed connection attempts with malformed domain fields
xrdp service crashes in logs
Unusual process execution following xrdp connections

Network Indicators:

Unusual RDP traffic patterns
Connection attempts with abnormally long domain fields
Traffic to xrdp port (default 3389) from unexpected sources

SIEM Query:

source="xrdp.log" AND ("segmentation fault" OR "buffer overflow" OR "crash")

📊 Metadata

CVE ID: CVE-2025-68670

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-121

EPSS Score: 0.32% exploit probability (54.2th percentile)

Published: January 27, 2026

Last Updated: February 6, 2026

🔗 References

https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa Patch
https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5 Product,Release Notes
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f Vendor Advisory
https://lists.debian.org/debian-lts-announce/2026/02/msg00003.html Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68670, you might also want to check these: