Introduction
Unauthorized access to virtual desktops can result in exposure of sensitive business data and disruption of critical workflows. In multi-user environments where Amazon WorkSpaces clients for Linux are deployed, a newly disclosed vulnerability allows local users to extract authentication tokens and access other users' WorkSpaces. This post provides a brief summary of CVE-2025-12779, a high-severity issue affecting Amazon WorkSpaces client for Linux.
About Amazon WorkSpaces and AWS: Amazon Web Services (AWS) is a dominant force in the global cloud computing market, providing infrastructure and platform services to millions of organizations. Amazon WorkSpaces is AWS's Desktop-as-a-Service (DaaS) offering, enabling secure remote desktop access for enterprises worldwide. WorkSpaces is widely used in regulated industries, large enterprises, and organizations with distributed workforces.
Technical Information
CVE-2025-12779 affects Amazon WorkSpaces client for Linux, specifically versions 2023.0 through 2024.8. The vulnerability is due to improper handling of authentication tokens used for DCV-based WorkSpaces sessions. When multiple users share a Linux client machine, the client may inadvertently expose authentication tokens to other local users. This exposure occurs because the client does not adequately isolate or protect the sensitive token data, allowing a local user to extract another user's token and use it to access their WorkSpace.
The vulnerability is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). Exploitation requires local access to the affected client machine. Once a token is extracted, an attacker can impersonate the victim user and gain access to their WorkSpace, including any applications or data available in that session. The vulnerability does not impact WorkSpaces clients using protocols other than DCV, such as PCoIP.
No public code snippets or detailed exploitation scripts are available for this vulnerability.
Patch Information
To address the improper handling of authentication tokens in the Amazon WorkSpaces client for Linux, AWS has released version 2025.0. This update ensures that authentication tokens for DCV-based WorkSpaces are securely managed, preventing unintended local users from accessing another user's WorkSpace. Users are advised to upgrade to version 2025.0 or later to remediate this issue. The updated client can be downloaded from the Amazon WorkSpaces Client Download page.
Patch source:
Affected Systems and Versions
- Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8
- Only DCV-based WorkSpaces sessions are affected
- WorkSpaces clients using PCoIP are not impacted
- Vulnerability is present in shared or multi-user Linux client environments
Vendor Security History
Amazon Web Services has a strong record of rapid response to security issues. Previous vulnerabilities in Amazon WorkSpaces include:
- CVE-2025-0500 and CVE-2025-0501: Both related to authentication and session security in WorkSpaces and related services AWS typically issues security bulletins and patches promptly and maintains a formal disclosure process for vulnerabilities affecting its products.
