Cyber Resilience

CVE-2026-32105

Critical

Published: 17 April 2026

Published
17 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 7.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32105 is a critical-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Neutrinolabs Xrdp. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 7.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2026-32105 affects xrdp, an open source Remote Desktop Protocol (RDP) server, in versions through 0.10.5. The vulnerability stems from a lack of verification for the Message Authentication Code (MAC) signature on encrypted RDP packets when using the "Classic RDP Security" layer. Although the sender generates an 8-byte integrity signature correctly, the receiver ignores it without validation, enabling undetected modifications to encrypted traffic. This issue, classified under CWE-354 (Insufficient Cryptography), does not impact connections using the TLS security layer.

An unauthenticated attacker positioned for man-in-the-middle (MITM) interception can exploit this flaw to alter RDP traffic in transit without detection, potentially compromising confidentiality and integrity. The CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L) reflects a network-accessible attack requiring high complexity, such as ARP spoofing or BGP hijacking, with no privileges or user interaction needed, but limited availability impact.

The vulnerability is addressed in xrdp version 0.10.6. For systems unable to upgrade immediately, administrators should edit xrdp.ini to enforce the TLS security layer by setting security_layer=tls, ensuring end-to-end integrity. Details are available in the release notes at https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.6 and the security advisory at https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j2jm-c596-c5q3.

EU & UK References

Vulnerability details

xrdp is an open source RDP server. In versions through 0.10.5, xrdp does not implement verification for the Message Authentication Code (MAC) signature of encrypted RDP packets when using the "Classic RDP Security" layer. While the sender correctly generates signatures,…

more

the receiving logic lacks the necessary implementation to validate the 8-byte integrity signature, causing it to be silently ignored. An unauthenticated attacker with man-in-the-middle (MITM) capabilities can exploit this missing check to modify encrypted traffic in transit without detection. It does not affect connections where the TLS security layer is enforced. This issue has been fixed in version 0.10.6. If users are unable to immediately upgrade, they should configure xrdp.ini to enforce TLS security (security_layer=tls) to ensure end-to-end integrity.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Directly enables undetected MITM tampering (Adversary-in-the-Middle) and in-transit data modification on RDP (Transmitted Data Manipulation) due to missing MAC verification in Classic RDP Security.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33689Same product: Neutrinolabs Xrdp
CVE-2026-32623Same product: Neutrinolabs Xrdp
CVE-2026-32107Same product: Neutrinolabs Xrdp
CVE-2026-35512Same product: Neutrinolabs Xrdp
CVE-2026-33516Same product: Neutrinolabs Xrdp
CVE-2026-5479Shared CWE-354
CVE-2025-68670Same product: Neutrinolabs Xrdp
CVE-2026-32313Shared CWE-354
CVE-2026-28402Shared CWE-354
CVE-2023-48795Shared CWE-354

Affected Assets

neutrinolabs
xrdp
≤ 0.10.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic protection of confidentiality and integrity for transmitted information, directly addressing the missing MAC signature verification in xrdp's Classic RDP Security layer that allows MITM modification.

prevent

Mandates identification, reporting, and correction of system flaws like the unverified MAC signatures in xrdp versions through 0.10.5 via upgrade to 0.10.6.

prevent

Establishes and enforces secure configuration settings such as security_layer=tls in xrdp.ini to ensure end-to-end integrity and mitigate the vulnerability pending patching.

References