Authentication Token Exposure Vulnerability in Amazon WorkSpaces Client for Linux
A critical vulnerability, tracked as CVE-2025-12779, was discovered in the Amazon WorkSpaces client for Linux, specifically affecting versions 2023.0 through 2024.8. The flaw arises from improper handling of authentication tokens, which can allow local users on the same client machine to extract valid tokens and gain unauthorized access to other users’ WorkSpace sessions. AWS issued a security bulletin (AWS-2025-025) on November 5, 2025, categorizing the issue as important and urging immediate remediation to prevent potential credential exposure on shared systems.
The vulnerability does not allow for remote exploitation but poses a significant risk in environments where multiple users share the same Linux client. AWS recommends upgrading to version 2025.0 or later of the Amazon WorkSpaces client for Linux to mitigate the risk. Organizations relying on AWS virtual desktop infrastructure are advised to review their deployments and ensure all affected clients are updated to prevent unauthorized access and potential data compromise.
Timeline
Nov 5, 2025
CVE-2025-12779 disclosed for Amazon WorkSpaces Client for Linux
A high-severity vulnerability, CVE-2025-12779, was publicly disclosed affecting Amazon WorkSpaces Client for Linux. The issue exposed authentication tokens, creating a risk of token theft for Linux users of the client.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
AWS VPN Client for macOS Privilege Escalation Vulnerability (CVE-2025-11462)
A critical vulnerability, tracked as CVE-2025-11462, was discovered in the AWS Client VPN application for macOS, allowing local users to escalate privileges to root. The flaw, which received a CVSS score of 9.3, is caused by improper link resolution before file access in the AWS VPN Client for macOS versions 1.3.2 through 5.2.0. Insufficient validation checks on the log destination directory during log rotation enable a non-administrator user to create a symbolic link from a client log file to a privileged location. When log rotation occurs, this symlink can be exploited to inject arbitrary code into the log file, which is then executed with root privileges. The vulnerability is not remotely exploitable, requiring local access to the affected system. Security researchers highlighted that a crafted API call could be used to inject malicious code into the log file, further increasing the risk of exploitation. AWS has released a patched version, AWS VPN Client for macOS 5.2.1, and strongly recommends all users upgrade to this or the latest available version to mitigate the risk. The vulnerability was publicly disclosed on October 7, 2025, and has been classified as critical due to the potential for full system compromise. No evidence of active exploitation in the wild has been reported at the time of disclosure, but the technical details suggest that exploitation would be straightforward for a local attacker. The flaw does not affect other operating systems or AWS VPN clients for platforms other than macOS. Organizations using affected versions are urged to update immediately and review system logs for any signs of suspicious activity. The vulnerability underscores the importance of secure log handling and proper validation of file operations in privileged applications. Security advisories recommend restricting local access to systems running vulnerable versions until patches are applied. The issue was identified and reported through responsible disclosure channels, and AWS responded promptly with a fix. The vulnerability highlights ongoing risks associated with privilege escalation flaws in widely used enterprise software.
1 months ago
Critical AWS Ops Wheel Flaws Enable Admin Takeover via JWT Forgery and Cognito Abuse
AWS disclosed two severe vulnerabilities in **AWS Ops Wheel** that can let attackers seize administrative control of deployments and manipulate tenant data. **`CVE-2026-6911`** is an authentication bypass caused by missing JWT signature verification at the API Gateway endpoint, allowing unauthenticated attackers to forge tokens and gain unintended admin access. AWS said successful exploitation could let attackers read, modify, and delete application data across tenants and manage Cognito user accounts in the deployment's User Pool; the flaw is tracked as **`CWE-347`** and carries a critical **CVSS v3.1 `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`** rating. AWS also fixed **`CVE-2026-6912`**, a privilege-escalation issue in Ops Wheel's Cognito User Pool configuration that let authenticated users promote themselves to deployment administrator by setting the **`custom:deployment_admin`** attribute through the `UpdateUserAttributes` API. The bug, classified as **`CWE-915`**, exposed the same ability to manage Cognito user accounts and carried a high-severity **CVSS v3.1 `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`** score. AWS directed customers to redeploy from the updated repository and apply the fixes to any forked or derivative code, with patches referenced in an AWS security bulletin, a GitHub pull request, and a GitHub security advisory.
1 weeks ago
AWS Research and Engineering Studio Flaws Enable Root Command Execution and AWS Privilege Escalation
AWS disclosed two high-severity vulnerabilities in **Research and Engineering Studio (RES)** that affect releases from `2025.03` through versions prior to `2026.03`. The first, **`CVE-2026-5707`**, is a `CWE-78` command injection flaw in virtual desktop session name handling that could let a remote authenticated attacker execute arbitrary commands as **root** on a virtual desktop host by supplying a crafted session name. The issue carries a CVSS v3.1 rating of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, reflecting high impact across confidentiality, integrity, and availability. AWS also disclosed **`CVE-2026-5708`**, a `CWE-915` privilege-escalation flaw in the RES `CreateSession` API caused by improper control of user-modifiable attributes. An authenticated attacker could use a crafted API request to escalate privileges, assume the virtual desktop host instance profile permissions, and access AWS resources and services. AWS directed customers to upgrade to **RES `2026.03`** or apply the vendor mitigation patch, with details published through an AWS security bulletin, a GitHub issue, and the RES `2026.03` release notes.
2 weeks ago