CVE-2026-33145 Overview
CVE-2026-33145 is a command injection vulnerability in xrdp, an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrdp-sesman. When the AllowAlternateShell setting is enabled (which is the default when not explicitly configured), xrdp accepts a client-supplied AlternateShell value and executes it via /bin/sh -c during session initialization. This results in shell-interpreted execution of unsanitized, user-controlled input.
Critical Impact
Authenticated attackers can execute arbitrary commands on the xrdp server prior to normal window manager startup, bypassing expected session initialization flows and potentially gaining full control within the authenticated user's security context.
Affected Products
- xrdp versions through 0.10.5
- Systems with AllowAlternateShell enabled (default configuration)
- Linux/Unix servers running xrdp for remote desktop access
Discovery Timeline
- 2026-04-17 - CVE-2026-33145 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-33145
Vulnerability Analysis
This command injection vulnerability (CWE-78) exists in the xrdp-sesman component of xrdp. The vulnerability allows authenticated users to inject and execute arbitrary shell commands through the AlternateShell parameter during RDP session establishment. The attack is network-accessible and requires low privilege authentication, meaning any user with valid RDP credentials can potentially exploit this flaw.
The security impact includes the ability to execute commands within the authenticated user's security context, occurring prior to normal window manager startup. This can bypass expected session initialization flows and operational assumptions that restrict execution to interactive desktop environments, effectively providing a scriptable remote command execution primitive over RDP.
Root Cause
The root cause is the lack of input sanitization for the client-supplied AlternateShell value. When the AllowAlternateShell configuration option is enabled (which is the default behavior when not explicitly configured), xrdp directly passes the user-controlled AlternateShell parameter to /bin/sh -c for execution. This design allows shell metacharacters and command sequences to be interpreted, enabling command injection attacks.
Attack Vector
The attack vector is network-based, requiring the attacker to have valid authentication credentials for the xrdp server. An authenticated user can supply a malicious AlternateShell value during RDP connection establishment. The xrdp-sesman component then executes this value through the shell without proper sanitization, allowing arbitrary command execution.
The attack flow involves:
- Establishing an RDP connection to a vulnerable xrdp server
- Providing valid authentication credentials
- Injecting malicious shell commands via the AlternateShell parameter
- Commands execute with the privileges of the authenticated user before the desktop session initializes
Since no verified code examples are available, readers should consult the GitHub Security Advisory for detailed technical information about the exploitation mechanism.
Detection Methods for CVE-2026-33145
Indicators of Compromise
- Unusual commands executed during RDP session initialization in xrdp-sesman logs
- Unexpected processes spawned by xrdp-sesman with suspicious command-line arguments
- Authentication events followed by immediate command execution outside normal desktop workflow
- Shell command history showing injection patterns in user sessions
Detection Strategies
- Monitor xrdp-sesman process for child processes with unusual command-line arguments
- Implement audit logging for all shell commands executed during session establishment
- Deploy endpoint detection rules to flag command injection patterns in RDP session parameters
- Review xrdp logs for AlternateShell values containing shell metacharacters such as ;, |, &&, or backticks
Monitoring Recommendations
- Enable verbose logging in xrdp-sesman to capture session initialization details
- Configure SIEM rules to alert on suspicious AlternateShell parameter values
- Implement process monitoring on xrdp servers to detect anomalous command execution patterns
- Monitor for reconnaissance commands commonly executed after successful exploitation
How to Mitigate CVE-2026-33145
Immediate Actions Required
- Upgrade xrdp to version 0.10.6 or later immediately
- Explicitly disable AllowAlternateShell in xrdp configuration if the feature is not required
- Audit existing xrdp servers for vulnerable versions
- Review logs for any evidence of prior exploitation attempts
Patch Information
The vulnerability has been fixed in xrdp version 0.10.6. Organizations should update to this version or later to remediate the vulnerability. The patch addresses the unsafe handling of the AlternateShell parameter by implementing proper input sanitization.
For more information, see the GitHub v0.10.6 Release and the GitHub Security Advisory GHSA-rmvv-7633-fg7h.
Workarounds
- Disable the AllowAlternateShell option in /etc/xrdp/sesman.ini by setting AllowAlternateShell=false
- Implement network segmentation to restrict RDP access to trusted networks only
- Enforce strong authentication and limit the number of accounts with RDP access
- Consider deploying a bastion host or VPN gateway for RDP connections
# Configuration example - Disable AllowAlternateShell in sesman.ini
# Edit /etc/xrdp/sesman.ini and add or modify the following:
[Security]
AllowAlternateShell=false
# Restart xrdp-sesman service after configuration change
sudo systemctl restart xrdp-sesman
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
