CVE-2024-39917

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: xrdp versions prior to 0.10.0

Description: xrdp is an open source RDP server that has a vulnerability allowing attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However, this mechanism was not effectively working, resulting in xrdp allowing an infinite number of login attempts. This could potentially allow a remote attacker to gain unauthorized access through a brute-force attack.

Recommendations: To resolve the issue, update to version 0.10.0 or later. As a temporary workaround, consider restricting access to the xrdp server or implementing additional authentication measures to minimize the risk of exploitation.

Exploit

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307

Related Identifiers

ALT-PU-2024-12412

ALT-PU-2024-12935

BDU:2024-10780

CVE-2024-39917

DLA-4166-1

GHSA-7W22-H4W7-8J5J

MGASA-2025-0044

OPENSUSE-SU-2025_0336-1

OPENSUSE-SU-2026:10816-1

ROSA-SA-2025-2584

ROSA-SA-2025-2585

SUSE-SU-2025:0335-1

SUSE-SU-2025:0336-1

SUSE-SU-2025:0350-1

SUSE-SU-2025_0335-1

SUSE-SU-2025_0336-1

SUSE-SU-2025_0350-1

Affected Products

Alt Linux

Astra Linux

Debian

Red Os

Suse

Xrdp

CVE-2024-39917

Weakness Enumeration

Related Identifiers

Affected Products

References · 44