Executive Summary

Amazon Web Services (AWS) has remediated a high-severity vulnerability, CVE-2025-12779, in its Amazon WorkSpaces client for the Linux operating system. The flaw, which carries a CVSS score of 8.8, stemmed from the improper handling of authentication tokens. Under specific conditions, this could allow a local user on a multi-user machine to extract a valid authentication token belonging to another user. An attacker could then use this token to hijack the victim's active DCV-based WorkSpace (virtual desktop) session. The vulnerability affects client versions from 2023.0 to 2024.8. AWS has released version 2025.0 of the Linux client to address the issue and advises all customers to upgrade promptly.

Vulnerability Details

• CVE-ID: CVE-2025-12779
• CVSS Score: 8.8 (High)
• Affected Software: Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8.
• Vulnerability Type: Improper Handling of Sensitive Information (Authentication Token)
• Attack Vector: Local. An attacker needs to have local user access to the same physical Linux machine where a victim is also using the WorkSpaces client. This scenario is common in shared computing environments like university labs or corporate hot-desking setups.
• Impact: An attacker can extract a valid authentication token, which can then be used to gain unauthorized access to the victim's virtual desktop session. This allows the attacker to view and interact with the victim's WorkSpace, access their data, and potentially pivot to other resources accessible from that virtual desktop.

Exploitation Status

There is no public evidence of in-the-wild exploitation at this time. The vulnerability was disclosed responsibly to AWS, allowing them to prepare and release a patch. However, the technical details are now public, increasing the likelihood of future exploitation attempts against unpatched systems.

Impact Assessment

While the attack vector is local, the impact is significant for organizations that use shared Linux workstations. An attacker could gain full access to a colleague's or another user's entire work environment. This could lead to:

• Data Breach: Theft of sensitive corporate data, intellectual property, or personally identifiable information (PII) accessible from the victim's WorkSpace.
• Privilege Escalation: If the victim has elevated privileges within the corporate network, the attacker could leverage this access to move laterally and cause a much wider breach.
• Compliance Violations: Unauthorized access to sensitive data could result in violations of regulations like GDPR, HIPAA, or PCI DSS. The risk is highest in environments where users with different privilege levels share the same physical machines.

Detection Methods

• Version Scanning: Use asset management or endpoint management tools to identify all Linux machines running vulnerable versions (2023.0 through 2024.8) of the Amazon WorkSpaces client. D3FEND Technique: D3-AI: Asset Identification.
• Log Analysis: While difficult to detect, post-compromise activity might be visible. Monitor WorkSpaces access logs in AWS CloudTrail for sessions originating from unexpected IP addresses, although a sophisticated attacker might try to proxy through the compromised machine. Look for unusual activity within a session that does not match the known user's behavior. D3FEND Technique: D3-UBA: User Behavior Analysis.

Remediation Steps

1. Upgrade the Client: The only way to fix the vulnerability is to upgrade the Amazon WorkSpaces client for Linux to version 2025.0 or later. This should be a high-priority task for all affected users. D3FEND Technique: D3-SU: Software Update.
2. Enforce Single User per Machine: As a general security best practice, avoid having users with different access levels or roles share the same physical workstation where possible. This mitigates a wide range of local privilege escalation and information disclosure vulnerabilities.
3. User Communication: Inform all users of the Amazon WorkSpaces Linux client about the vulnerability and provide clear instructions on how to upgrade. Track the upgrade progress to ensure all endpoints are patched.