CVE-2025-68670

xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670)

Initial Access Execution Last updated:

CVE-2025-68670 is a critical unauthenticated stack buffer overflow (CWE-121) in xrdp versions prior to 0.10.5. During the RDP connection sequence, a remote unauthenticated attacker can send a specially crafted packet that overflows a stack buffer, potentially enabling remote code execution as the xrdp process user. CVSS 9.1. A public PoC exists. Patch to xrdp >= 0.10.5 immediately.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
neutrinolabs, xrdp
Product
xrdp
Versions
< 0.10.5

Weakness (CWE)

CWE-121

Timeline

Disclosed
November 18, 2025
Patched
November 18, 2025

CVSS

9.1
Critical (9.0–10)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Write-up coming soon

What is CVE-2025-68670 xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670)?

xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670) (CVE-2025-68670) maps to the Initial Access and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670), covering the data sources and telemetry it touches: DeviceNetworkEvents, Syslog, SecurityEvent. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution
Microsoft Sentinel / Defender
kusto 
union
  (
    DeviceNetworkEvents
    | where RemotePort == 3389 or LocalPort == 3389
    | where ActionType in ("InboundConnectionAccepted", "ConnectionSuccess")
    | project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, LocalPort, InitiatingProcessFileName, InitiatingProcessCommandLine
  ),
  (
    Syslog
    | where ProcessName has "xrdp"
    | where SyslogMessage has_any ("error", "segfault", "stack", "overflow", "crash", "core dumped", "fatal", "abort")
    | project TimeGenerated, Computer, ProcessName, SyslogMessage
  ),
  (
    SecurityEvent
    | where EventID in (4624, 4625)
    | where LogonType == 10
    | project TimeGenerated, Computer, Account, IpAddress, LogonType, Status, SubStatus
  )
| where TimeGenerated >= ago(24h)
| sort by TimeGenerated desc

Detects potential exploitation of CVE-2025-68670 by correlating inbound RDP connections on port 3389 with xrdp process crash/error logs and RDP logon events. Anomalous connection patterns from external IPs followed by xrdp errors strongly indicate exploitation attempts.

critical severity medium confidence

Data Sources

DeviceNetworkEvents Syslog SecurityEvent

Required Tables

DeviceNetworkEvents Syslog SecurityEvent

False Positives

  • Legitimate RDP connections from administrators or remote workers triggering benign xrdp log noise
  • System resource pressure causing xrdp crashes unrelated to exploitation
  • Automated vulnerability scanners performing RDP fingerprinting
  • Misconfigured RDP clients sending malformed handshake packets

Sigma rule & cross-platform mapping

The detection logic for xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670) (CVE-2025-68670) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-68670 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-68670

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-20 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1xrdp Version Enumeration via RDP Banner Grab

    Expected signal: Network connection event to port 3389 from scanning host; xrdp access log entry for the probe connection.

  2. Test 2Malformed RDP X.224 PDU Fuzzing (PoC Simulation)

    Expected signal: xrdp crash log entry (SIGSEGV/SIGABRT/stack smashing detected) in /var/log/xrdp.log; core dump if ulimit -c unlimited is set; network connection event from test host to port 3389.

  3. Test 3Post-Exploitation Persistence Check (Simulated RCE Artifact)

    Expected signal: Auditd events for crontab modification by xrdp user; file creation event in /tmp for .xrdp_persist; process execution telemetry showing crontab -r invoked by non-interactive xrdp session.

Unlock Pro Content

Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1136Create Account

Same Tactic: Initial Access

Popular Detections