On 7 February 2026 the Debian security team published advisory DSA-6123-1 to fix a critical flaw in xrdp, the open-source implementation of the Remote Desktop Protocol (RDP) that countless Linux servers rely on for remote desktop access. The bug, tracked as CVE-2025-68670, carries a CVSS score of 9.8 and lets an attacker run code remotely with no credentials at all.
What the vulnerability is
It’s a stack-based buffer overflow caused by sloppy bounds checking while the server processes the domain information the client sends during the early phase of the RDP connection. Kaspersky researchers traced the problem to the xrdp_wm_parse_domain_information() function: a 256-byte stack buffer (resultIP) receives data from a domain field that can reach 512 bytes in UTF-16, and nothing validates the length properly before the copy happens.
When the domain name starts with an underscore (_), the code looks for a delimiter and copies everything sitting between two sequences into that 256-byte buffer. Since the domain can expand in unpredictable ways once it’s converted to UTF-8, an attacker has room to craft a value that overruns the buffer and clobbers the stack.
Here’s the worst part: all of this runs before the client is authenticated. No valid username or password needed. An attacker only has to reach the service over the network to take a shot at triggering the bug.
Who is affected
Any Linux server running xrdp exposed on the network is in scope, especially on the standard RDP port (3389). That’s a common setup on corporate servers, remote-work environments and cloud machines that hand out remote desktops. Internet-facing deployments carry the highest risk.
Denis Skvortsov found the flaw during a security audit. The report went out on 5 December 2025, the CVE identifier was assigned on 24 December 2025, and the patch was merged into the project’s main branch on 27 January 2026.
Severity
Put remote code execution, no authentication and plain network reach together and you land squarely in the critical category (CVSS 9.8). A successful exploit can lead to full system compromise, denial of service, or unauthorized access to the affected Linux environment.
Mitigation and patch
The advice is blunt: update xrdp right away. Debian shipped fixed versions:
- Bookworm (oldstable):
0.9.21.1-1+deb12u2 - Trixie (stable):
0.10.1-3.1+deb13u1
Upstream, the fix landed in the main branch (version 0.10.5) and was backported to the 0.9.27 and 0.10.4.1 series.
To apply the update on Debian, run apt update && apt upgrade and restart the xrdp service. While you’re at it, don’t expose xrdp directly to the Internet: keep it on internal networks, put it behind a VPN or a bastion host, and lock down port 3389 at the firewall.
If you want to harden privilege separation on the underlying operating system, it’s also worth reviewing the kernel’s mandatory access control mechanisms.
You can check the affected distribution profile at Debian.
Source
- Official advisory: Debian Security Advisory DSA-6123-1 (xrdp)
- CVE details: CVE-2025-68670 on NVD