Detect xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence in Splunk
CVE-2025-68670 is a critical (CVSS 9.1) unauthenticated stack-based buffer overflow vulnerability in xrdp, the open-source RDP server widely deployed on Linux systems. The vulnerability stems from improper bounds checking when processing user domain information during the RDP connection sequence (pre-authentication). An unauthenticated remote attacker can overwrite the stack buffer and return address, potentially redirecting execution flow to execute arbitrary code. Fixed in xrdp v0.10.5. The impact is partially mitigated if the binary was compiled with stack canary protection, though the advisory warns against relying on this for production systems. xrdp is commonly used to provide RDP access to Ubuntu, Debian, CentOS, and other Linux servers — including cloud VMs, developer workstations, and Linux-based infrastructure in SMB environments. Exploitation requires no credentials and only network access to port 3389.
MITRE ATT&CK
- Tactic
- Initial Access Execution
SPL Detection Query
index=network sourcetype IN ("pan:traffic", "cisco:asa", "fortigate:traffic", "suricata", "snort", "bro:conn")
dest_port=3389
| eval is_linux_target=if(
match(dest_ip, "(?i)(linux|ubuntu|debian)") OR
NOT match(vendor, "(?i)microsoft"),
"true", "unknown"
)
| stats count AS RDPAttempts,
dc(src_ip) AS UniqueSourceIPs,
values(src_ip) AS SourceIPs,
values(action) AS Actions,
values(bytes_in) AS BytesReceived
BY dest_ip, _time span=1h
| where RDPAttempts > 20 OR UniqueSourceIPs > 5
| eval CVE="CVE-2025-68670"
| eval Severity="CRITICAL"
| eval Note="High-volume RDP to potential xrdp host — possible stack overflow exploitation attempt"
| table _time, dest_ip, SourceIPs, RDPAttempts, UniqueSourceIPs, Actions, CVE, Severity, Note
| sort - RDPAttempts
```
For xrdp syslog-based detection (on host):
```
index=linux sourcetype IN ("syslog", "linux_audit") host IN (xrdp_hosts)
("xrdp" OR "xrdp-sesman")
("error" OR "fail" OR "crash" OR "segfault" OR "buffer" OR "overflow")
| rex field=_raw "(?<client_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}).*(?<error_type>error|fail|crash|segfault)"
| stats count AS Errors, values(client_ip) AS ClientIPs, values(error_type) AS ErrorTypes
BY host, _time span=30m
| where Errors > 3Detects xrdp exploitation attempts from CVE-2025-68670 by monitoring network traffic logs for high-volume RDP connections to Linux servers, and xrdp daemon syslog for crash/error/segfault indicators that may indicate buffer overflow exploitation attempts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Network scanners performing RDP port enumeration
- Legitimate RDP connection bursts from VDI infrastructure
- xrdp errors from legitimate connection failures (wrong password, session limits)
Other platforms for CVE-2025-68670
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send oversized domain field in RDP Client Info PDU to xrdp
Expected signal: xrdp.log: error or crash entry with client IP. kern.log: segfault for xrdp process if exploit triggers without stack canary protection.
References (5)
Unlock Pro Content
Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.