← Back to blog

Critical xrdp Flaws Enable RCE, Brute-Force Attacks, and Session Bypass

Ubuntu security patches address four vulnerabilities in xrdp remote desktop software, including a critical bounds-checking flaw that enables arbitrary code execution and authentication bypass issues. Organizations running xrdp should prioritize updates to mitigate remote exploitation risks.

TL;DR

  • CVE-2025-68670: Bounds-checking failure in domain processing allows unauthenticated RCE or DoS
  • CVE-2024-39917: MaxLoginRetry parameter not enforced, enabling unlimited login brute-force attempts
  • CVE-2023-42822: Out-of-bounds font glyph access permits information disclosure (Ubuntu 24.04 LTS)
  • CVE-2023-40184: Session establishment errors bypass PAM-enforced restrictions on concurrent sessions

Canonical has released security updates addressing four vulnerabilities in xrdp, a widely-deployed open-source remote desktop protocol server. The flaws range from critical remote code execution to authentication and session management bypasses that could allow attackers to compromise systems or gain unauthorized access.

The most severe issue, CVE-2025-68670, stems from improper bounds checking during user domain information processing in the connection sequence. An unauthenticated attacker can trigger a crash or potentially execute arbitrary code without prior authentication. Additionally, a failure to enforce login attempt limits creates a vector for brute-force credential attacks.

Organizations using xrdp in production environments should apply these patches promptly, particularly those exposing remote desktop services to untrusted networks.

Critical Remote Code Execution and Denial of Service

  • CVE-2025-68670 exploits inadequate bounds checking in domain field processing during xrdp connection handshake
  • Unauthenticated remote attackers can trigger memory corruption leading to process crash or code execution
  • No authentication required; vulnerability is reachable at the network perimeter before credential validation

Authentication and Session Management Weaknesses

  • CVE-2024-39917: MaxLoginRetry configuration parameter is not enforced, permitting unlimited login attempts and credential brute-forcing
  • CVE-2023-40184: Session establishment error handling allows bypass of PAM-enforced restrictions, including concurrent session limits per user
  • CVE-2023-42822: Out-of-bounds font glyph access enables information disclosure on Ubuntu 24.04 LTS systems

Remediation and Risk Assessment

  • Apply USN-8476-1 patches across all affected Ubuntu releases immediately
  • Restrict xrdp network exposure using firewall rules and VPN access where feasible
  • Monitor for exploitation attempts targeting domain field processing and repeated failed login activity
  • Review PAM session policies and verify concurrent session limits are properly enforced post-patching

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Critical xrdp Flaws Enable RCE, Brute-Force Attacks, and Session Bypass — Agent Breach Blog | Agent Breach