A critical, unauthenticated vulnerability exists in versions of xrdp, an open-source Remote Desktop Protocol (RDP) server, prior to v0.10.5. This flaw allows a remote attacker to execute arbitrary code on a vulnerable system without needing any credentials, potentially leading to a complete system compromise. Organizations using affected versions of xrdp are at high risk and should apply the available patch immediately.

The vulnerability is an unauthenticated stack-based buffer overflow that occurs during the initial connection sequence. When a user attempts to connect, the xrdp server processes user-provided information, including a domain name. The software fails to properly validate the length of the domain name string before copying it to a fixed-size buffer on the stack. An unauthenticated remote attacker can exploit this by sending a specially crafted connection request with an overly long domain name, causing the buffer to overflow and overwrite adjacent memory on the stack, including the function's return address. This allows the attacker to redirect the program's execution flow to malicious code, resulting in arbitrary code execution with the privileges of the xrdp service.

With a critical CVSS score of 9.1, this vulnerability poses a severe threat to the business. Successful exploitation could lead to a complete compromise of the affected server, granting an attacker full control. This could result in the theft of sensitive data, deployment of ransomware, disruption of critical services, or the use of the compromised system as a pivot point to attack other internal network resources. The unauthenticated nature of the vulnerability means that any system running a vulnerable version of xrdp exposed to the internet is a prime target for attack, significantly increasing the risk of a security breach.

Immediate Action: Immediately upgrade all instances of xrdp to version 0.10.5 or later, which contains the patch for this vulnerability. Prioritize patching for systems exposed to the internet. After patching, monitor xrdp logs for any signs of failed or successful exploitation attempts that may have occurred before the update.

Proactive Monitoring: Implement enhanced monitoring on systems running xrdp. Scrutinize xrdp access logs for connection attempts with unusually long or malformed domain names. Monitor network traffic on the RDP port (typically TCP/3389) for anomalous patterns or spikes in connection attempts from unknown sources. Utilize endpoint detection and response (EDR) tools to detect suspicious process behavior originating from the xrdp service.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the attack surface:

• Restrict access to the xrdp service using a firewall or network access control lists (ACLs) to allow connections only from trusted IP addresses or internal networks.
• Require connections to be made through a Virtual Private Network (VPN), preventing direct exposure of the xrdp service to the public internet.
• Place the service behind a reverse proxy or web application firewall (WAF) that can inspect and filter RDP traffic for malicious patterns, if available.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) and the fact that this vulnerability can be exploited remotely without authentication, we strongly recommend that organizations treat this as a high-priority issue. All vulnerable xrdp instances should be patched to version 0.10.5 or later on an emergency basis. While this CVE is not currently on the CISA KEV list, its characteristics make it a likely target for future exploitation. If patching cannot be performed immediately, apply the recommended compensating controls, such as restricting access via firewall rules, to mitigate the immediate risk.