External risk intelligence

Remote Desktop flaw lets attackers alter traffic and gain control

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-32105

An xrdp remote desktop flaw allows attackers to alter encrypted traffic without detection, potentially leading to unauthorized access. This issue affects connections not using TLS security.

4Halo Surface Signal

Neutrinolabs Xrdp

before 0.10.6

External exposure likelihood

Halo Surface Signal score for CVE-2026-32105

xrdp is a remote desktop service that facilitates remote connectivity. As a remote access service, it is commonly deployed in configurations that make the interface reachable from external networks or the internet to enable administrative or user access.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in xrdp allows an unauthenticated attacker to tamper with encrypted remote desktop traffic without detection. Because the Message Authentication Code signature check is missing for the \"Classic RDP Security\" layer, modifications to data in transit will go unnoticed. This could lead to unauthorized data manipulation or unauthorized access to sensitive systems.

  • Attackers can modify traffic.
  • This affects remote desktop sessions.
  • Requires man-in-the-middle capabilities.

Attack Path

How an attacker could exploit the issue

An attacker with man-in-the-middle capabilities could exploit this vulnerability to tamper with encrypted RDP traffic without detection. By bypassing the Message Authentication Code (MAC) validation, they could alter data packets in transit, potentially leading to unauthorized access or modification of the remote system. This attack requires the Classic RDP Security layer to be in use, not TLS.

  • Network access needed.
  • Modifies encrypted RDP traffic.
  • Classic RDP security layer used.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to prioritize weaponizing this vulnerability due to the specific network conditions required for exploitation. The vulnerability is confined to the "Classic RDP Security" layer and does not affect TLS-enforced connections, which are often the default or recommended configuration for secure remote access. This specificity limits its broad applicability.

  • Requires MITM on classic RDP.
  • TLS enforcement bypasses the flaw.
  • Affects older xrdp versions.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading xrdp to version 0.10.6 or newer to address the critical vulnerability in its MAC signature verification for encrypted RDP packets. If an immediate upgrade is not feasible, enforce TLS security by configuring `security_layer=tls` in `xrdp.ini` to mitigate the risk of attackers modifying traffic in transit.

  • Upgrade xrdp to 0.10.6.
  • Configure `security_layer=tls` if upgrading is delayed.
  • Monitor network traffic for anomalies.

Frequently asked questions

What is xrdp and what is it used for?

xrdp is an open-source server that allows users to remotely access and control their computers using the Remote Desktop Protocol (RDP). It's commonly used to enable remote administration or provide access to graphical desktop environments on Linux systems from other machines.

What weakness does CVE-2026-32105 expose in xrdp?

CVE-2026-32105 reveals that xrdp, when using the "Classic RDP Security" layer, fails to validate the Message Authentication Code (MAC) signature on encrypted RDP packets. This weakness, categorized as CWE-354, allows attackers to alter the traffic without the system detecting the modification.

How can an attacker exploit this xrdp vulnerability?

An unauthenticated attacker with man-in-the-middle capabilities can exploit this by intercepting and modifying encrypted RDP traffic in transit. The vulnerability is triggered because xrdp doesn't check the message integrity signature, so these unauthorized changes go unnoticed. This does not occur if the TLS security layer is enforced.

Who should be concerned about CVE-2026-32105?

Organizations using xrdp, particularly those where it is exposed to the internet or external networks for remote access, should be concerned. Halo Surface Signal indicates a 'Likely' exposure score because xrdp, as a remote access service, is often configured for external reachability.

What's the first step to address this xrdp CVE?

The recommended first step is to upgrade xrdp to version 0.10.6 or later. If an immediate upgrade isn't possible, administrators should configure xrdp.ini to enforce TLS security by setting `security_layer=tls`.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified