CVE-2025-68670 CrowdStrike LogScale · LogScale

Detect xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670) in CrowdStrike LogScale

CVE-2025-68670 is a critical unauthenticated stack buffer overflow (CWE-121) in xrdp versions prior to 0.10.5. During the RDP connection sequence, a remote unauthenticated attacker can send a specially crafted packet that overflows a stack buffer, potentially enabling remote code execution as the xrdp process user. CVSS 9.1. A public PoC exists. Patch to xrdp >= 0.10.5 immediately.

MITRE ATT&CK

Tactic
Initial Access Execution

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "ProcessRollup2", "SyntheticProcessRollup2")
| filter
  (
    (event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6") AND RemotePort = "3389" AND NetworkDirectionName = "INBOUND")
    OR
    (event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2") AND ImageFileName LIKE "%xrdp%" AND (ExitCode != "0" OR CommandLine LIKE "%core%"))
  )
| eval event_type=if(event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6"), "rdp_inbound", "xrdp_abnormal_exit")
| stats count() by ComputerName, aid, RemoteAddressIP4, RemotePort, ImageFileName, ExitCode, event_type
| sort -count
critical severity medium confidence

CrowdStrike Falcon Query Language rule correlating inbound RDP connections and xrdp process abnormal exits to detect CVE-2025-68670 exploitation attempts on Linux endpoints.

Data Sources

CrowdStrike Falcon EndpointNetwork eventsProcess events

Required Tables

NetworkConnectIP4NetworkConnectIP6ProcessRollup2

False Positives & Tuning

  • Authorized RDP traffic from management networks
  • xrdp update or restart processes causing non-zero exit codes
  • Sensor policy gaps causing incomplete telemetry
  • Automated IT tooling connecting to port 3389 for health checks

Other platforms for CVE-2025-68670

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1xrdp Version Enumeration via RDP Banner Grab

    Expected signal: Network connection event to port 3389 from scanning host; xrdp access log entry for the probe connection.

  2. Test 2Malformed RDP X.224 PDU Fuzzing (PoC Simulation)

    Expected signal: xrdp crash log entry (SIGSEGV/SIGABRT/stack smashing detected) in /var/log/xrdp.log; core dump if ulimit -c unlimited is set; network connection event from test host to port 3389.

  3. Test 3Post-Exploitation Persistence Check (Simulated RCE Artifact)

    Expected signal: Auditd events for crontab modification by xrdp user; file creation event in /tmp for .xrdp_persist; process execution telemetry showing crontab -r invoked by non-interactive xrdp session.

Last updated: 2026-06-20 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1136Create Account

Same Tactic: Initial Access

Popular Detections