CVE-2025-68670

CRITICAL

xrdp < 0.10.5 - Unauthenticated Stack-based Buffer Overflow via User Domain Processing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-68670. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-68670, a pre-authentication stack-based buffer overflow in xrdp v0.10.4. It includes detailed technical analysis, crash PoCs, control flow probes, and a lab setup for reproducible testing.

Description

xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · cpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-68670

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2025-68670, a pre-authentication stack-based buffer overflow in xrdp v0.10.4. It includes detailed technical analysis, crash PoCs, control flow probes, and a lab setup for reproducible testing.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: xrdp v0.10.4

No auth needed

Prerequisites: Docker · Python 3 · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 08, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f

Patch x_refsource_misc

https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa

View Patch ZIP pw:eip

Product, Release Notes x_refsource_misc

https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5

Mailing List

https://lists.debian.org/debian-lts-announce/2026/02/msg00003.html

Related Analysis

xrdp Pre-Auth Overflow

From Crash to RCE

Scores

CVSS v3 9.1

EPSS 0.0021

EPSS Percentile 43.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-121 CWE-787

Status published

Products (2)

debian/debian_linux 11.0

neutrinolabs/xrdp < 0.10.5

Published Jan 27, 2026

Tracked Since Feb 18, 2026