CVE-2025-68670 Sumo Logic CSE · Sumo

Detect xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670) in Sumo Logic CSE

CVE-2025-68670 is a critical unauthenticated stack buffer overflow (CWE-121) in xrdp versions prior to 0.10.5. During the RDP connection sequence, a remote unauthenticated attacker can send a specially crafted packet that overflows a stack buffer, potentially enabling remote code execution as the xrdp process user. CVSS 9.1. A public PoC exists. Patch to xrdp >= 0.10.5 immediately.

MITRE ATT&CK

Tactic
Initial Access Execution

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=linux/syslog OR _sourceCategory=linux/secure
| where _raw matches /xrdp/
| where _raw matches /(?i)(segfault|SIGSEGV|SIGABRT|overflow|core dumped|fatal|crash|stack smash)/ OR _sourcePort="3389" OR _destinationPort="3389"
| parse regex "(?<src_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})" nodrop
| if(isNull(src_ip), "unknown", src_ip) as src_ip
| count by _sourceHost, src_ip, _raw
| sort by _count desc
critical severity medium confidence

Sumo Logic query identifying xrdp crash and error events alongside RDP port activity, enabling detection of CVE-2025-68670 exploitation attempts on Linux hosts.

Data Sources

Linux SyslogLinux Secure Log

Required Tables

linux/sysloglinux/secure

False Positives & Tuning

  • Legitimate administrative RDP sessions
  • xrdp errors from incompatible or misconfigured RDP clients
  • Log collection gaps producing incomplete event sequences
  • Scheduled xrdp service restarts during maintenance windows

Other platforms for CVE-2025-68670

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1xrdp Version Enumeration via RDP Banner Grab

    Expected signal: Network connection event to port 3389 from scanning host; xrdp access log entry for the probe connection.

  2. Test 2Malformed RDP X.224 PDU Fuzzing (PoC Simulation)

    Expected signal: xrdp crash log entry (SIGSEGV/SIGABRT/stack smashing detected) in /var/log/xrdp.log; core dump if ulimit -c unlimited is set; network connection event from test host to port 3389.

  3. Test 3Post-Exploitation Persistence Check (Simulated RCE Artifact)

    Expected signal: Auditd events for crontab modification by xrdp user; file creation event in /tmp for .xrdp_persist; process execution telemetry showing crontab -r invoked by non-interactive xrdp session.

Last updated: 2026-06-20 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-68670 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1136Create Account

Same Tactic: Initial Access

Popular Detections