title: xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence (CVE-2025-68670)
id: df00tech-cve-2025-68670
status: experimental
description: "CVE-2025-68670 is a critical (CVSS 9.1) unauthenticated stack-based buffer overflow vulnerability in xrdp, the open-source RDP server widely deployed on Linux systems. The vulnerability stems from improper bounds checking when processing user domain information during the RDP connection sequence (pre-authentication). An unauthenticated remote attacker can overwrite the stack buffer and return address, potentially redirecting execution flow to execute arbitrary code. Fixed in xrdp v0.10.5. The impact is partially mitigated if the binary was compiled with stack canary protection, though the advisory warns against relying on this for production systems. xrdp is commonly used to provide RDP access to Ubuntu, Debian, CentOS, and other Linux servers — including cloud VMs, developer workstations, and Linux-based infrastructure in SMB environments. Exploitation requires no credentials and only network access to port 3389."
references:
  - https://attack.mitre.org/techniques/CVE-2025-68670/
  - https://df00tech.com/detections/CVE-2025-68670
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2025-68670
  - cve.2025-68670
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate high-frequency RDP connections from terminal servers or RDP session brokers
  - Vulnerability scanners performing authorised RDP service discovery
  - RDP load testing or automation frameworks
level: critical