CVE-2026-32105
Published: 17 April 2026
Summary
CVE-2026-32105 is a high-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Neutrinolabs Xrdp. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-8 (Transmission Confidentiality and Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires cryptographic protection of confidentiality and integrity for transmitted information, directly addressing the missing MAC signature verification in xrdp's Classic RDP Security layer that allows MITM modification.
Mandates identification, reporting, and correction of system flaws like the unverified MAC signatures in xrdp versions through 0.10.5 via upgrade to 0.10.6.
Establishes and enforces secure configuration settings such as security_layer=tls in xrdp.ini to ensure end-to-end integrity and mitigate the vulnerability pending patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables undetected MITM tampering (Adversary-in-the-Middle) and in-transit data modification on RDP (Transmitted Data Manipulation) due to missing MAC verification in Classic RDP Security.
NVD Description
xrdp is an open source RDP server. In versions through 0.10.5, xrdp does not implement verification for the Message Authentication Code (MAC) signature of encrypted RDP packets when using the "Classic RDP Security" layer. While the sender correctly generates signatures,…
more
the receiving logic lacks the necessary implementation to validate the 8-byte integrity signature, causing it to be silently ignored. An unauthenticated attacker with man-in-the-middle (MITM) capabilities can exploit this missing check to modify encrypted traffic in transit without detection. It does not affect connections where the TLS security layer is enforced. This issue has been fixed in version 0.10.6. If users are unable to immediately upgrade, they should configure xrdp.ini to enforce TLS security (security_layer=tls) to ensure end-to-end integrity.
Deeper analysisAI
CVE-2026-32105 affects xrdp, an open source Remote Desktop Protocol (RDP) server, in versions through 0.10.5. The vulnerability stems from a lack of verification for the Message Authentication Code (MAC) signature on encrypted RDP packets when using the "Classic RDP Security" layer. Although the sender generates an 8-byte integrity signature correctly, the receiver ignores it without validation, enabling undetected modifications to encrypted traffic. This issue, classified under CWE-354 (Insufficient Cryptography), does not impact connections using the TLS security layer.
An unauthenticated attacker positioned for man-in-the-middle (MITM) interception can exploit this flaw to alter RDP traffic in transit without detection, potentially compromising confidentiality and integrity. The CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L) reflects a network-accessible attack requiring high complexity, such as ARP spoofing or BGP hijacking, with no privileges or user interaction needed, but limited availability impact.
The vulnerability is addressed in xrdp version 0.10.6. For systems unable to upgrade immediately, administrators should edit xrdp.ini to enforce the TLS security layer by setting security_layer=tls, ensuring end-to-end integrity. Details are available in the release notes at https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6 and the security advisory at https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j2jm-c596-c5q3.
Details
- CWE(s)