AWS Research and Engineering Studio Flaws Enable Root Command Execution and AWS Privilege Escalation
AWS disclosed two high-severity vulnerabilities in Research and Engineering Studio (RES) that affect releases from 2025.03 through versions prior to 2026.03. The first, CVE-2026-5707, is a CWE-78 command injection flaw in virtual desktop session name handling that could let a remote authenticated attacker execute arbitrary commands as root on a virtual desktop host by supplying a crafted session name. The issue carries a CVSS v3.1 rating of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting high impact across confidentiality, integrity, and availability.
AWS also disclosed CVE-2026-5708, a CWE-915 privilege-escalation flaw in the RES CreateSession API caused by improper control of user-modifiable attributes. An authenticated attacker could use a crafted API request to escalate privileges, assume the virtual desktop host instance profile permissions, and access AWS resources and services. AWS directed customers to upgrade to RES 2026.03 or apply the vendor mitigation patch, with details published through an AWS security bulletin, a GitHub issue, and the RES 2026.03 release notes.
Timeline
Apr 10, 2026
AWS discloses CVE-2026-5709 affecting RES cluster-manager instance
AWS security bulletin 2026-014-AWS disclosed a third severe RES vulnerability, CVE-2026-5709, an OS command injection flaw that could let an authenticated attacker compromise the cluster-manager EC2 instance. AWS said the issue was fixed in RES version 2026.03 and provided upgrade and manual mitigation guidance.
Apr 6, 2026
CVE-2026-5707 and CVE-2026-5708 are publicly disclosed
Public vulnerability records described two high-severity AWS RES flaws: CVE-2026-5707, a command injection issue, and CVE-2026-5708, a privilege-escalation issue. Both were published with high-impact CVSS 3.1 scores and remediation guidance pointing to RES 2026.03.
Apr 6, 2026
AWS releases RES 2026.03 and mitigation guidance for two high-severity flaws
AWS released RES version 2026.03 and advised customers to upgrade or apply the corresponding mitigation patch to address CVE-2026-5707 and CVE-2026-5708. The fixes were referenced in an AWS security bulletin, GitHub issue, and the RES 2026.03 release page.
Mar 1, 2025
AWS RES versions before 2026.03 contain CreateSession privilege-escalation flaw
AWS RES versions prior to 2026.03 contained a privilege-escalation issue later assigned CVE-2026-5708. The vulnerability allowed an authenticated remote attacker to manipulate CreateSession attributes to assume the virtual desktop host instance profile permissions and access AWS resources.
Mar 1, 2025
AWS RES versions 2025.03–2025.12.01 ship with command injection flaw
AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01 included a command injection vulnerability later assigned CVE-2026-5707. The flaw involved unsanitized virtual desktop session names in OS command handling, enabling authenticated remote code execution as root on the virtual desktop host.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical AWS Ops Wheel Flaws Enable Admin Takeover via JWT Forgery and Cognito Abuse
AWS disclosed two severe vulnerabilities in **AWS Ops Wheel** that can let attackers seize administrative control of deployments and manipulate tenant data. **`CVE-2026-6911`** is an authentication bypass caused by missing JWT signature verification at the API Gateway endpoint, allowing unauthenticated attackers to forge tokens and gain unintended admin access. AWS said successful exploitation could let attackers read, modify, and delete application data across tenants and manage Cognito user accounts in the deployment's User Pool; the flaw is tracked as **`CWE-347`** and carries a critical **CVSS v3.1 `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`** rating. AWS also fixed **`CVE-2026-6912`**, a privilege-escalation issue in Ops Wheel's Cognito User Pool configuration that let authenticated users promote themselves to deployment administrator by setting the **`custom:deployment_admin`** attribute through the `UpdateUserAttributes` API. The bug, classified as **`CWE-915`**, exposed the same ability to manage Cognito user accounts and carried a high-severity **CVSS v3.1 `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`** score. AWS directed customers to redeploy from the updated repository and apply the fixes to any forked or derivative code, with patches referenced in an AWS security bulletin, a GitHub pull request, and a GitHub security advisory.
1 weeks ago
Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in **Ivanti Cloud Services Application (CSA)** and **VMware vCenter Server** products, exposing enterprise management platforms to remote compromise. Ivanti said CSA `5.0.2` and earlier contain three flaws—`CVE-2024-11639`, `CVE-2024-11772`, and `CVE-2024-11773`—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated **CVSS 10.0**. Ivanti released fixes in CSA `5.0.3` and urged customers to update immediately. VMware also disclosed two vulnerabilities affecting **vCenter Server** and **VMware Cloud Foundation**: `CVE-2024-38812`, a heap overflow that can allow arbitrary code execution, and `CVE-2024-38813`, which can enable privilege escalation to root. The flaws affect vCenter Server `7.0` and `8.0` as well as VMware Cloud Foundation `4.x` and `5.x`, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
1 weeks ago
AWS VPN Client for macOS Privilege Escalation Vulnerability (CVE-2025-11462)
A critical vulnerability, tracked as CVE-2025-11462, was discovered in the AWS Client VPN application for macOS, allowing local users to escalate privileges to root. The flaw, which received a CVSS score of 9.3, is caused by improper link resolution before file access in the AWS VPN Client for macOS versions 1.3.2 through 5.2.0. Insufficient validation checks on the log destination directory during log rotation enable a non-administrator user to create a symbolic link from a client log file to a privileged location. When log rotation occurs, this symlink can be exploited to inject arbitrary code into the log file, which is then executed with root privileges. The vulnerability is not remotely exploitable, requiring local access to the affected system. Security researchers highlighted that a crafted API call could be used to inject malicious code into the log file, further increasing the risk of exploitation. AWS has released a patched version, AWS VPN Client for macOS 5.2.1, and strongly recommends all users upgrade to this or the latest available version to mitigate the risk. The vulnerability was publicly disclosed on October 7, 2025, and has been classified as critical due to the potential for full system compromise. No evidence of active exploitation in the wild has been reported at the time of disclosure, but the technical details suggest that exploitation would be straightforward for a local attacker. The flaw does not affect other operating systems or AWS VPN clients for platforms other than macOS. Organizations using affected versions are urged to update immediately and review system logs for any signs of suspicious activity. The vulnerability underscores the importance of secure log handling and proper validation of file operations in privileged applications. Security advisories recommend restricting local access to systems running vulnerable versions until patches are applied. The issue was identified and reported through responsible disclosure channels, and AWS responded promptly with a fix. The vulnerability highlights ongoing risks associated with privilege escalation flaws in widely used enterprise software.
1 months ago