| Reporter | Title | Published | Views | Family All 63 |
|---|---|---|---|---|
| xrdp -- remote code execution | 6 Dec 202500:00 | – | freebsd | |
| CVE-2025-68670 | 27 Jan 202615:52 | – | attackerkb | |
| CVE-2025-68670 | 27 Jan 202615:52 | – | alpinelinux | |
| Astra Linux – Vulnerability in xrdp | 19 Jun 202611:10 | – | astralinux | |
| The vulnerability of the XRDP server, related to the execution of operations beyond the buffer in memory, allows a hacker to execute arbitrary code. | 30 Jan 202600:00 | – | bdu_fstec | |
| CVE-2025-68670 | 27 Jan 202616:49 | – | circl | |
| xrdp security vulnerabilities | 27 Jan 202600:00 | – | cnnvd | |
| CVE-2025-68670 | 27 Jan 202615:52 | – | cve | |
| CVE-2025-68670 xrdp improperly checks bounds of domain string length, which leads to Stack-based Buffer Overflow | 27 Jan 202615:52 | – | cvelist | |
| [SECURITY] [DLA 4464-1] xrdp security update | 3 Feb 202600:16 | – | debian |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2026-b409dad73e
#
include('compat.inc');
if (description)
{
script_id(298310);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/07");
script_cve_id("CVE-2025-68670");
script_xref(name:"FEDORA", value:"2026-b409dad73e");
script_name(english:"Fedora 42 : xorgxrdp / xrdp (2026-b409dad73e)");
script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Fedora 42 host has packages installed that are affected by multiple vulnerabilities as referenced in the
FEDORA-2026-b409dad73e advisory.
Release notes for xrdp v0.10.5 (2026/01/27)
Security fixes
- CVE-2025-68670: Improper bounds checking of domain string length leads to Stack-based Buffer Overflow
New features
- It is now possible to start the xrdp daemon entirely unprivileged from the service manager (#3599
#3603). If you do this certain restrictions will apply. See
https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root for details.
- TLS pre-master secrets can now be recorded for packet captures (#3617)
- Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers (#3639)
- Alternate shell names can now be passed to startwm.sh in an environment variable for more system
management control (#3624 #3651)
- Updated Xorg paths in sesman.ini to include more recent distros (#3663)
- Add Slovenian keyboard (#3668 #3670)
- xrdpapi: Add a way to monitor connect/disconnect events (#3693)
Bug fixes
- Allow an empty X11 UTF8_STRING to be pasted to the clipboard (#3580 #3582)
- Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server which did
not support the ExtendedDesktopSize encoding (#3540 #3584)
- Fix a regression introduced in v0.10.x related to PAM groups handling (#3594)
- Inconsistencies with [MS-RDPBCGR] have been addressed (#3608)
- A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed (#3638)
- Prevent some possible crashes when the RFX encoder is resized (#3590 #3644)
- Fixes a regression introduced by GFX development which prevented the JPEG encoder from working correctly
(#3649)
- Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted unexpectedly
(#3650)
- Do not overwrite a VNC port set by the user when not using sesman (#3674)
- Fix regression from 0.9.x when freerdp client uses /workarea (#3618 #3676)
- Fixes a crash where a resize is attempted with drdynvc disabled (#3672 #3680)
- getgrouplist() now compiles on MacOS (#3575)
- Various Coverity warnings have been addressed (#3656)
- Documentation improvements (#3665)
Internal changes
- An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed (#3679)
Release notes for xorgxrdp v0.10.5 (2026/01/28)
Bug fixes
- Fix bug in Chrome pointer detection (#394 #396)
Internal changes
- CI: Update FreeBSD xrdp dependency (#398)
Tenable has extracted the preceding description block directly from the Fedora security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2026-b409dad73e");
script_set_attribute(attribute:"solution", value:
"Update the affected 1:xrdp and / or xorgxrdp packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-68670");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"patch_publication_date", value:"2026/01/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:42");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xorgxrdp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xrdp");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Fedora Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include('rpm2.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Fedora' >!< os_product) audit(AUDIT_OS_NOT, 'Fedora');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
if (! preg(pattern:"^42([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'Fedora 42', 'Fedora ' + os_version);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);
var constraints = [
{
'release': '42',
'pkgs': [
{'reference':'xorgxrdp-0.10.5-1.fc42', 'rpm_spec_vers_cmp':TRUE},
{'reference':'xrdp-0.10.5-1.fc42', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}
]
}
];
var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');
var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
# Check that the target release is equal to the affected release
if (!empty_or_null(constraint['release'])){
if (constraint['release'] != os_release) continue;
}
if (!empty_or_null(constraint['sp'])){
if (constraint['sp'] != os_sp) continue;
}
foreach var pkg ( constraint['pkgs'] ) {
reference = NULL;
sp = NULL;
_cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
epoch = NULL;
allowmaj = NULL;
exists_check = NULL;
cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
## (no known rpm to check OR known rpm_exists)
(!exists_check || rpm_exists(rpm:exists_check)) &&
rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'xorgxrdp / xrdp');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation