CVE-2025-68670 IBM QRadar · QRadar

Detect xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670) in IBM QRadar

CVE-2025-68670 is a critical unauthenticated stack buffer overflow (CWE-121) in xrdp versions prior to 0.10.5. During the RDP connection sequence, a remote unauthenticated attacker can send a specially crafted packet that overflows a stack buffer, potentially enabling remote code execution as the xrdp process user. CVSS 9.1. A public PoC exists. Patch to xrdp >= 0.10.5 immediately.

MITRE ATT&CK

Tactic
Initial Access Execution

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  LOGSOURCENAME(logsourceid) AS log_source,
  "startTime",
  "sourceip",
  "destinationip",
  "destinationport",
  "username",
  "eventdirection",
  "Message"
FROM events
WHERE
  (
    ("destinationport" = 3389 AND "eventdirection" = 'R2L')
    OR
    (LOWER("Message") IMATCHES '.*xrdp.*(segfault|overflow|sigsegv|sigabrt|core dumped|stack smash|fatal error).*')
  )
  AND LOGSOURCETYPENAME(devicetype) IN ('LinuxServer', 'SyslogNGEE', 'Universal DSM', 'IBM Security Network Protection')
  AND "startTime" > (NOW() - 86400000)
ORDER BY "startTime" DESC
LIMIT 500
critical severity medium confidence

AQL query to surface inbound RDP connections and xrdp crash/overflow log messages from Linux hosts over the past 24 hours, enabling correlation of exploitation indicators for CVE-2025-68670.

Data Sources

Linux SyslogQRadar Network ActivityUniversal DSM

Required Tables

events

False Positives & Tuning

  • Authorized RDP jump-box sessions generating benign port 3389 events
  • xrdp crashes due to misconfigured RDP clients sending unexpected protocol messages
  • Log source misconfiguration causing high-volume false event ingestion
  • Legitimate kernel OOM or watchdog killing xrdp

Other platforms for CVE-2025-68670

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1xrdp Version Enumeration via RDP Banner Grab

    Expected signal: Network connection event to port 3389 from scanning host; xrdp access log entry for the probe connection.

  2. Test 2Malformed RDP X.224 PDU Fuzzing (PoC Simulation)

    Expected signal: xrdp crash log entry (SIGSEGV/SIGABRT/stack smashing detected) in /var/log/xrdp.log; core dump if ulimit -c unlimited is set; network connection event from test host to port 3389.

  3. Test 3Post-Exploitation Persistence Check (Simulated RCE Artifact)

    Expected signal: Auditd events for crontab modification by xrdp user; file creation event in /tmp for .xrdp_persist; process execution telemetry showing crontab -r invoked by non-interactive xrdp session.

Last updated: 2026-06-20 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1136Create Account

Same Tactic: Initial Access

Popular Detections