Introduction
Remote desktop solutions are essential for modern business operations, enabling secure access to systems across networks. However, hidden vulnerabilities can turn these tools into attack vectors. One such flaw, designated CVE-2025-68670, was discovered in the xrdp server—a key component of many thin-client environments. This article unpacks the technical details of the vulnerability, how it was found, and what steps were taken to mitigate it.
Background: The Security Audit That Found the Flaw
Kaspersky, known for its security solutions like the KasperskyOS-based products and Kaspersky Thin Client, also offers the Kaspersky USB Redirector. This module extends the capabilities of xrdp, a popular remote desktop server for Linux, by allowing access to local USB devices—flash drives, smart cards, tokens, and printers—during remote sessions while preserving security. As part of a routine security assessment of the USB Redirector, researchers conducted a deep audit of xrdp and uncovered the critical remote code execution (RCE) vulnerability.
Understanding the RDP Connection Process
An RDP (Remote Desktop Protocol) session is established through a multi-step handshake where client and server negotiate settings. The vulnerable stage occurs just before client authentication, during the Secure Settings Exchange. At this point, the client sends a Client Info PDU (Protocol Data Unit) containing protected credentials, including username, password, auto-reconnect cookies, and other data. This information is packed into a TS_INFO_PACKET structure, with each field represented as Unicode strings—up to 512 bytes long, terminated by a null character.
Technical Details of CVE-2025-68670
Buffer Overflow in Domain Name Processing
Within xrdp's code, the xrdp_client_info structure holds the client data. Its fields, such as domain, username, and password, are defined with a fixed size of INFO_CLIENT_MAX_CB_LEN (512 bytes). The vulnerability lies in how Unicode data from the client is converted to UTF-8 before storage. The function ts_info_utf16_in processes the incoming UTF-16 encoded strings and converts them to UTF-8, with a buffer size check intended to prevent overflows. However, an oversight in the conversion logic allowed an attacker to craft a malicious UTF-16 string that, when decoded to UTF-8, exceeded the destination buffer's capacity, causing a buffer overflow.
The Exploitation Path
The overflow occurs in the domain field. Normally, the function receives src_bytes (the number of bytes in the UTF-16 input) and dst_len (the size of the output buffer). The check s_check_rem_and_log validates that remaining stream data is sufficient. But because UTF-16 characters (2 bytes each) can expand to up to 3 bytes in UTF-8 for certain code points, the total output could exceed 512 bytes. An attacker could input a specially crafted sequence that, after conversion, writes past the allocated buffer. This leads to corruption of adjacent memory, potentially allowing remote code execution by overwriting function pointers or other critical data.
Impact and Severity
Successful exploitation could allow an unauthenticated attacker to execute arbitrary code on the xrdp server with the privileges of the xrdp process. Given that xrdp often runs on systems accessed by multiple users or exposed to internal networks, this could lead to full system compromise, data theft, or deployment of malware. The vulnerability was assigned a critical severity rating by the maintainers.
The Patch and Recommendations
Kaspersky responsibly disclosed the vulnerability to the xrdp project maintainers, who acted promptly. The fix was released in xrdp version 0.10.5, with backports to 0.9.27 and 0.10.4.1. The patch corrected the bounding of the UTF-16 to UTF-8 conversion, ensuring that the destination buffer cannot be overflowed. A security bulletin was issued to alert users.
To protect against CVE-2025-68670 and similar flaws:
- Update immediately to the latest xrdp version (0.10.5 or later).
- If using Kaspersky USB Redirector or any xrdp-dependent tools, verify they are compatible with the patched xrdp.
- Restrict network access to xrdp servers using firewalls or VPNs.
- Monitor for unusual RDP traffic or authentication attempts.
Conclusion
The discovery of CVE-2025-68670 underscores the importance of routine security audits—even for widely used open-source components. Kaspersky's proactive approach not only secured its own USB Redirector but also improved the broader xrdp ecosystem. Administrators should apply patches promptly to prevent potential exploitation. This case also serves as a reminder that seemingly robust protocols like RDP can harbor subtle implementation flaws that require diligent testing to uncover.
For further details, refer to the official security bulletin from the xrdp project.