CVE-2024-39917

HIGH

xrdp < 0.10.0 - Unauthenticated Brute Force Attack via Unlimited Login Attempts

Title source: llm

Description

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/05/msg00018.html

Vendor Advisory x_refsource_confirm

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j

Patch x_refsource_misc

https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f

View Patch ZIP pw:eip

Scores

CVSS v3 7.2

EPSS 0.0060

EPSS Percentile 43.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-307

Status published

Products (1)

neutrinolabs/xrdp < 0.10.0

Published Jul 12, 2024

Tracked Since Feb 18, 2026