CVE-2025-68670

xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence

CVE-2025-68670 is a critical (CVSS 9.1) unauthenticated stack-based buffer overflow vulnerability in xrdp, the open-source RDP server widely deployed on Linux systems. The vulnerability stems from improper bounds checking when processing user domain information during the RDP connection sequence (pre-authentication). An unauthenticated remote attacker can overwrite the stack buffer and return address, potentially redirecting execution flow to execute arbitrary code. Fixed in xrdp v0.10.5. The impact is partially mitigated if the binary was compiled with stack canary protection, though the advisory warns against relying on this for production systems. xrdp is commonly used to provide RDP access to Ubuntu, Debian, CentOS, and other Linux servers — including cloud VMs, developer workstations, and Linux-based infrastructure in SMB environments. Exploitation requires no credentials and only network access to port 3389.

Microsoft Sentinel / Defender

kusto

// CVE-2025-68670 — xrdp Unauthenticated Stack Buffer Overflow
// Detect exploitation attempts against xrdp on port 3389
// via malformed RDP connection sequences with oversized domain fields
let RDPPort = 3389;
let SuspiciousRDPSources = (
    CommonSecurityLog
    | where TimeGenerated > ago(24h)
    | where DestinationPort == RDPPort
    | where DeviceVendor !in ("Microsoft") // Filter out Windows RDP, focus on Linux xrdp
    | summarize ConnectionCount=count(), UniqueSourceIPs=dcount(SourceIP)
      by DestinationIP, bin(TimeGenerated, 1h)
    | where ConnectionCount > 20 // High connection rate = scanning/exploitation
);
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort == RDPPort
| join kind=inner SuspiciousRDPSources on DestinationIP
| extend ThreatIndicator = "CVE-2025-68670-xrdp-BufferOverflow"
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort,
    DeviceVendor, Message, Action, ConnectionCount, UniqueSourceIPs
| sort by ConnectionCount desc

critical severity medium confidence

Data Sources

CommonSecurityLog (firewall/IDS logs) AzureNetworkAnalytics_CL (NSG flow logs) Syslog (xrdp daemon logs on Linux hosts) LinuxAuditLog

Required Tables

CommonSecurityLog Syslog

False Positives

Legitimate high-frequency RDP connections from terminal servers or RDP session brokers
Vulnerability scanners performing authorised RDP service discovery
RDP load testing or automation frameworks

Last updated: 2026-04-22 Research depth: standard

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Initial Access

Popular Detections