Detect xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence in Microsoft Sentinel
CVE-2025-68670 is a critical (CVSS 9.1) unauthenticated stack-based buffer overflow vulnerability in xrdp, the open-source RDP server widely deployed on Linux systems. The vulnerability stems from improper bounds checking when processing user domain information during the RDP connection sequence (pre-authentication). An unauthenticated remote attacker can overwrite the stack buffer and return address, potentially redirecting execution flow to execute arbitrary code. Fixed in xrdp v0.10.5. The impact is partially mitigated if the binary was compiled with stack canary protection, though the advisory warns against relying on this for production systems. xrdp is commonly used to provide RDP access to Ubuntu, Debian, CentOS, and other Linux servers — including cloud VMs, developer workstations, and Linux-based infrastructure in SMB environments. Exploitation requires no credentials and only network access to port 3389.
MITRE ATT&CK
- Tactic
- Initial Access Execution
KQL Detection Query
// CVE-2025-68670 — xrdp Unauthenticated Stack Buffer Overflow
// Detect exploitation attempts against xrdp on port 3389
// via malformed RDP connection sequences with oversized domain fields
let RDPPort = 3389;
let SuspiciousRDPSources = (
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort == RDPPort
| where DeviceVendor !in ("Microsoft") // Filter out Windows RDP, focus on Linux xrdp
| summarize ConnectionCount=count(), UniqueSourceIPs=dcount(SourceIP)
by DestinationIP, bin(TimeGenerated, 1h)
| where ConnectionCount > 20 // High connection rate = scanning/exploitation
);
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort == RDPPort
| join kind=inner SuspiciousRDPSources on DestinationIP
| extend ThreatIndicator = "CVE-2025-68670-xrdp-BufferOverflow"
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort,
DeviceVendor, Message, Action, ConnectionCount, UniqueSourceIPs
| sort by ConnectionCount descDetects potential exploitation of CVE-2025-68670 by monitoring firewall and network logs for high-frequency RDP connection attempts to Linux systems (identified by non-Microsoft RDP device vendor or Linux server IP ranges). High connection rates to port 3389 are consistent with automated exploitation or scanning for vulnerable xrdp versions.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate high-frequency RDP connections from terminal servers or RDP session brokers
- Vulnerability scanners performing authorised RDP service discovery
- RDP load testing or automation frameworks
Other platforms for CVE-2025-68670
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send oversized domain field in RDP Client Info PDU to xrdp
Expected signal: xrdp.log: error or crash entry with client IP. kern.log: segfault for xrdp process if exploit triggers without stack canary protection.
References (5)
Unlock Pro Content
Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.