CVE-2025-68670 Elastic Security · Elastic

Detect xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670) in Elastic Security

CVE-2025-68670 is a critical unauthenticated stack buffer overflow (CWE-121) in xrdp versions prior to 0.10.5. During the RDP connection sequence, a remote unauthenticated attacker can send a specially crafted packet that overflows a stack buffer, potentially enabling remote code execution as the xrdp process user. CVSS 9.1. A public PoC exists. Patch to xrdp >= 0.10.5 immediately.

MITRE ATT&CK

Tactic
Initial Access Execution

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=2m
  [network where destination.port == 3389 and network.direction == "ingress" and source.ip != "127.0.0.1"]
  [process where process.name like~ "xrdp*" and
    (
      event.action == "process_stopped" or
      process.exit_code != null and process.exit_code != 0 or
      process.title like~ "*(segfault|SIGSEGV|SIGABRT|core dumped|overflow)*"
    )
  ]
critical severity high confidence

EQL sequence detecting an inbound RDP connection to port 3389 followed within 2 minutes by an abnormal xrdp process termination, indicating a potential stack buffer overflow exploitation attempt.

Data Sources

Elastic EndpointNetwork packet logsSystem/process logs

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.process-*

False Positives & Tuning

  • Legitimate RDP sessions from admins coinciding with xrdp service restarts or updates
  • OOM conditions causing xrdp to crash during normal operations
  • Automated RDP health-check scripts triggering connection + process events
  • Kernel panics or hardware faults causing xrdp abnormal exit

Other platforms for CVE-2025-68670

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1xrdp Version Enumeration via RDP Banner Grab

    Expected signal: Network connection event to port 3389 from scanning host; xrdp access log entry for the probe connection.

  2. Test 2Malformed RDP X.224 PDU Fuzzing (PoC Simulation)

    Expected signal: xrdp crash log entry (SIGSEGV/SIGABRT/stack smashing detected) in /var/log/xrdp.log; core dump if ulimit -c unlimited is set; network connection event from test host to port 3389.

  3. Test 3Post-Exploitation Persistence Check (Simulated RCE Artifact)

    Expected signal: Auditd events for crontab modification by xrdp user; file creation event in /tmp for .xrdp_persist; process execution telemetry showing crontab -r invoked by non-interactive xrdp session.

Last updated: 2026-06-20 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1136Create Account

Same Tactic: Initial Access

Popular Detections