Full Report
A newly disclosed security flaw in the Amazon WorkSpaces client for Linux has raised serious concerns across organizations relying on AWS virtual desktop infrastructure. The vulnerability, identified as CVE-2025-12779, enables local attackers to extract valid authentication tokens and gain unauthorized access to other users’ WorkSpace sessions. On November 5, 2025, AWS issued a formal security bulletin, AWS-2025-025, detailing the issue and urging immediate remediation. The bulletin categorized the flaw as “Important (requires attention)” and warned users that improper token handling in specific client versions could expose sensitive credentials on shared systems. CVE-2025-12779 Vulnerability Details and Impact According to the advisory, the vulnerability affects the Amazon WorkSpaces client for Linux versions 2023.0 through 2024.8. These versions mishandle authentication tokens used in DCV-based WorkSpaces, potentially leaving them accessible to other local users on the same client machine. Under the right conditions, a malicious local user could retrieve these tokens and establish unauthorized access to another individual’s virtual desktop session. In its official statement, AWS noted: “Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, an unintended user may be able to extract a valid authentication token from the client machine and access another user’s WorkSpace.” The issue stems from improper token management within the affected client versions. When deployed in multi-user or shared Linux environments, these tokens may remain accessible to other users on the system. This creates a direct path for attackers to exploit the weakness and impersonate legitimate users. Once a valid token is obtained, an attacker can connect to the victim’s WorkSpace as an authenticated user, bypassing standard access controls. Because the session would appear legitimate, traditional network-based intrusion detection tools might fail to detect the compromise. This allows an attacker to maintain persistent access to sensitive applications, data, and system resources hosted within the virtual environment. The CVE-2025-12779 flaw highlights a critical risk in desktop virtualization environments where shared systems or contractor workstations are common. Unlike remote exploits that target network vulnerabilities, this issue operates at the local level. AWS Response and Patch Availability To mitigate the vulnerability, AWS confirmed that the problem has been resolved in the Amazon WorkSpaces client for Linux version 2025.0. Users are strongly advised to upgrade to version 2025.0 or newer as soon as possible. The updated client can be downloaded directly from the Amazon WorkSpaces Client Download page. Furthermore, AWS announced the end of support for the affected client versions, effectively requiring all organizations to transition to the patched release. Security teams are urged to audit their current deployments to identify any instances still running versions 2023.0 through 2024.8. Immediate upgrades should be prioritized for environments where multiple users share access to the same Linux systems. In addition to updating software, organizations are encouraged to review access logs for signs of unauthorized token extraction or abnormal login activity during the period when the vulnerability was active. This step is critical for detecting potential breaches that may have already occurred before the patch was applied.
Analysis Summary
# Vulnerability: Authentication Token Theft in Amazon WorkSpaces Linux Client
## CVE Details
- CVE ID: CVE-2025-12779
- CVSS Score: Not explicitly stated, but categorized as **"Important (requires attention)"** by AWS.
- CWE: Not specified in the text.
## Affected Systems
- Products: Amazon WorkSpaces client for Linux
- Versions: 2023.0 through 2024.8
- Configurations: DCV-based WorkSpaces, particularly in multi-user or shared Linux environments where client tokens might persist across user sessions.
## Vulnerability Description
The vulnerability stems from improper handling of authentication tokens used for DCV-based WorkSpaces within specific versions of the Amazon WorkSpaces client for Linux. This flaw allows a malicious local attacker on the same client machine to potentially extract a valid authentication token. Once extracted, this token can be used to gain unauthorized, authenticated access to another legitimate user's WorkSpace session, bypassing standard network access controls.
## Exploitation
- Status: Not explicitly stated as being exploited in the wild, but the threat is immediate due to the local access requirement.
- Complexity: Implies **Low to Medium** based on the requirement for local access to a shared system.
- Attack Vector: **Local**
## Impact
- Confidentiality: **High**. An attacker gains access to the victim’s entire WorkSpace session, including sensitive data, applications, and resources.
- Integrity: **High**. An attacker can modify data or perform actions within the victim's session.
- Availability: **Low to Medium**. The direct impact is unauthorized access, though session disruption is possible.
## Remediation
### Patches
- **Amazon WorkSpaces client for Linux version 2025.0 or newer resolves the issue.**
- Affected versions (2023.0 through 2024.8) are now End-of-Support.
### Workarounds
- No specific technical workarounds were provided, as immediate patching/upgrading is mandated. The implied workaround is to ensure the client is upgraded to the patched version.
## Detection
- **Indicators of Compromise (IOCs):** Monitor for unauthorized token extraction attempts (if forensics allow) and abnormal login activity to WorkSpaces sessions corresponding to the time frame the vulnerability was active/unpatched.
- **Detection Methods and Tools:** Security teams are urged to audit deployments to identify the vulnerable client versions. Reviewing access logs for suspicious session connections is critical. Traditional network-based IDS may not detect the compromise as the access appears legitimate post-token theft.
## References
- Vendor Advisory: AWS Security Bulletin **AWS-2025-025** (Issued November 5, 2025)
- Download Location: Amazon WorkSpaces Client Download page (URL must be retrieved from the vendor documentation)