KASPERSKY researchers describe CVE-2025-68670 as a remote code execution flaw in the xrdp server that is exploitable before authentication. The bug lies in xrdp_wm_parse_domain_information, which can overflow a 256-byte resultBuffer when processing a domain name up to 512 bytes, potentially allowing an attacker to overwrite the return address on the stack.
The article notes that the overflow occurs when the domain name begins with an underscore and contains a portion up to a double underscore, with UTF-8 expansion from UTF-16 contributing to the risk. A PoC used an RDP file containing a long domain name designed to trigger the overflow, culminating in a crash from stack smashing; the same write-up explains that, when compiled with stack canaries, exploitation becomes non-trivial.
The vulnerability was fixed in xrdp version 0.10.5 and backported to 0.9.27 and 0.10.4[.]1, with a security bulletin issued as GHSA-rwvg-gp87-gh6f, according to GHSA-rwvg-gp87-gh6f. Remediation timelines cited span from 12 May 2025 to 27 January 2026, culminating in the patch merging into the main branch.