{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/kaspersky-thin-client/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.1,"id":"CVE-2025-68670"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kaspersky USB Redirector","Kaspersky Thin Client","xrdp"],"_cs_severities":["critical"],"_cs_tags":["rce","xrdp","cve-2025-68670","remote-desktop","linux"],"_cs_type":"advisory","_cs_vendors":["Kaspersky","neutrinolabs"],"content_html":"\u003cp\u003eCVE-2025-68670 is a critical remote code execution vulnerability discovered in the xrdp server, affecting versions prior to 0.10.5. The vulnerability resides within the \u003ccode\u003exrdp_wm_parse_domain_information\u003c/code\u003e function, which processes the domain name provided by the client during the Secure Settings Exchange of the RDP connection establishment. An attacker can exploit this vulnerability by sending a crafted domain name that starts with an underscore, causing a buffer overflow in the \u003ccode\u003eresultIP\u003c/code\u003e buffer. This overflow allows the attacker to overwrite the return address on the stack, enabling arbitrary code execution within the context of the compromised process. The vulnerability was identified during a security assessment of Kaspersky USB Redirector. The maintainers of xrdp patched the vulnerability in version 0.10.5 and backported the fix to versions 0.9.27 and 0.10.4.1. Exploitation does not require authentication, making it a highly critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker initiates an RDP connection to the target xrdp server.\u003c/li\u003e\n\u003cli\u003eThe client and server begin the Secure Settings Exchange.\u003c/li\u003e\n\u003cli\u003eThe client sends a Client Info PDU containing a crafted domain name within the TS_INFO_PACKET structure. The malicious domain name starts with an underscore and is longer than 255 characters.\u003c/li\u003e\n\u003cli\u003eThe server receives the domain name and passes it to the \u003ccode\u003exrdp_wm_parse_domain_information\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003exrdp_wm_parse_domain_information\u003c/code\u003e function checks if the domain name starts with an underscore.\u003c/li\u003e\n\u003cli\u003eBecause the domain name begins with an underscore, the function attempts to copy a portion of the domain name into the \u003ccode\u003eresultIP\u003c/code\u003e buffer using \u003ccode\u003eg_strncpy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the crafted domain name\u0026rsquo;s length (longer than 255 bytes), \u003ccode\u003eg_strncpy\u003c/code\u003e overflows the \u003ccode\u003eresultIP\u003c/code\u003e buffer, overwriting the return address on the stack.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003exrdp_wm_parse_domain_information\u003c/code\u003e function returns, and the overwritten return address is used, redirecting execution to the attacker\u0026rsquo;s injected code, achieving arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-68670 allows an unauthenticated attacker to execute arbitrary code on the target system running a vulnerable version of xrdp. This could lead to complete system compromise, including data theft, malware installation, or denial of service. The vulnerability is particularly critical because it is pre-authentication, meaning no valid credentials are required to exploit it. While the exact number of victims is unknown, any system running a vulnerable xrdp version is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade xrdp to version 0.10.5 or later, or to versions 0.9.27 or 0.10.4.1 with the backported patch to remediate CVE-2025-68670.\u003c/li\u003e\n\u003cli\u003eApply the \u0026ldquo;Detect CVE-2025-68670 Exploitation Attempt via Long Domain\u0026rdquo; Sigma rule to identify potential exploitation attempts by detecting abnormally long domain names starting with an underscore in RDP traffic.\u003c/li\u003e\n\u003cli\u003eApply the \u0026ldquo;Detect CVE-2025-68670 Exploitation Attempt via process creation\u0026rdquo; Sigma rule to identify potential exploitation attempts by detecting process creations originating from xrdp processes.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for RDP connections with unusually long domain names in the client info packets, as this may indicate an attempted exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T08:00:54Z","date_published":"2026-05-08T08:00:54Z","id":"/briefs/2026-05-xrdp-rce/","summary":"A pre-authentication remote code execution vulnerability exists in xrdp versions prior to 0.10.5, triggered by a buffer overflow in the xrdp_wm_parse_domain_information function when parsing a specially crafted domain name, allowing attackers to overwrite the return address and execute arbitrary code.","title":"CVE-2025-68670: xrdp Pre-Authentication Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-xrdp-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Kaspersky Thin Client","version":"https://jsonfeed.org/version/1.1"}