FKIE_CVE-2025-68670

Vulnerability from fkie_nvd - Published: 2026-01-27 16:16 - Updated: 2026-02-06 19:59
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems.
References
security-advisories@github.comhttps://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffaPatch
security-advisories@github.comhttps://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5Product, Release Notes
security-advisories@github.comhttps://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6fVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2026/02/msg00003.htmlMailing List
Impacted products
Vendor Product Version
neutrinolabs xrdp *
debian debian_linux 11.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF7BFA59-F9D6-4B4F-8CB7-137054E9C030",
              "versionEndExcluding": "0.10.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems."
    },
    {
      "lang": "es",
      "value": "xrdp es un servidor RDP de c\u00f3digo abierto. xrdp antes de la v0.10.5 contiene una vulnerabilidad de desbordamiento de b\u00fafer basado en pila no autenticado. El problema se deriva de una comprobaci\u00f3n de l\u00edmites incorrecta al procesar la informaci\u00f3n de dominio del usuario durante la secuencia de conexi\u00f3n. Si se explota, la vulnerabilidad podr\u00eda permitir a atacantes remotos ejecutar c\u00f3digo arbitrario en el sistema objetivo. La vulnerabilidad permite a un atacante sobrescribir el b\u00fafer de pila y la direcci\u00f3n de retorno, lo que te\u00f3ricamente podr\u00eda usarse para redirigir el flujo de ejecuci\u00f3n. El impacto de esta vulnerabilidad se reduce si se ha utilizado una bandera de compilador para construir el ejecutable de xrdp con protecci\u00f3n de stack canary. Si este es el caso, se necesitar\u00eda usar una segunda vulnerabilidad para filtrar el valor del stack canary. Actualice a la versi\u00f3n 0.10.5 para recibir un parche. Adem\u00e1s, no conf\u00ede en la protecci\u00f3n de stack canary en sistemas de producci\u00f3n."
    }
  ],
  "id": "CVE-2025-68670",
  "lastModified": "2026-02-06T19:59:50.957",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-27T16:16:16.037",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00003.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-121"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.