CVE-2025-68670 Google Chronicle · YARA-L

Detect xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670) in Google Chronicle

CVE-2025-68670 is a critical unauthenticated stack buffer overflow (CWE-121) in xrdp versions prior to 0.10.5. During the RDP connection sequence, a remote unauthenticated attacker can send a specially crafted packet that overflows a stack buffer, potentially enabling remote code execution as the xrdp process user. CVSS 9.1. A public PoC exists. Patch to xrdp >= 0.10.5 immediately.

MITRE ATT&CK

Tactic
Initial Access Execution

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2025_68670_xrdp_stack_overflow {
  meta:
    author = "df00tech"
    description = "Detects potential exploitation of CVE-2025-68670 xrdp unauthenticated stack buffer overflow"
    severity = "CRITICAL"
    confidence = "MEDIUM"
    reference = "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f"

  events:
    (
      $network.metadata.event_type = "NETWORK_CONNECTION"
      $network.target.port = 3389
      $network.network.direction = "INBOUND"
      $network.principal.ip != "127.0.0.1"
    )
    or
    (
      $process.metadata.event_type = "PROCESS_UNCATEGORIZED"
      re.regex($process.principal.process.file.full_path, `.*xrdp.*`)
      re.regex($process.metadata.description, `(?i)(segfault|overflow|sigsegv|sigabrt|core dumped|fatal|crash)`)
    )

  condition:
    $network or $process
}
critical severity medium confidence

Chronicle YARA-L rule detecting inbound RDP connections to port 3389 and xrdp crash/signal events indicative of CVE-2025-68670 exploitation.

Data Sources

Chronicle Network EventsChronicle Process EventsLinux Endpoint

Required Tables

network_connectionprocess_uncategorized

False Positives & Tuning

  • Legitimate remote administration over RDP from known jump hosts
  • xrdp service restarts during patching or maintenance
  • RDP vulnerability scanners from authorized security tooling
  • Non-exploit xrdp crashes from resource constraints

Other platforms for CVE-2025-68670

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1xrdp Version Enumeration via RDP Banner Grab

    Expected signal: Network connection event to port 3389 from scanning host; xrdp access log entry for the probe connection.

  2. Test 2Malformed RDP X.224 PDU Fuzzing (PoC Simulation)

    Expected signal: xrdp crash log entry (SIGSEGV/SIGABRT/stack smashing detected) in /var/log/xrdp.log; core dump if ulimit -c unlimited is set; network connection event from test host to port 3389.

  3. Test 3Post-Exploitation Persistence Check (Simulated RCE Artifact)

    Expected signal: Auditd events for crontab modification by xrdp user; file creation event in /tmp for .xrdp_persist; process execution telemetry showing crontab -r invoked by non-interactive xrdp session.

Last updated: 2026-06-20 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1136Create Account

Same Tactic: Initial Access

Popular Detections