Authentication Token Exposure Vulnerability in Amazon WorkSpaces Client for Linux
A critical vulnerability, tracked as CVE-2025-12779, was discovered in the Amazon WorkSpaces client for Linux, specifically affecting versions 2023.0 through 2024.8. The flaw arises from improper handling of authentication tokens, which can allow local users on the same client machine to extract valid tokens and gain unauthorized access to other users’ WorkSpace sessions. AWS issued a security bulletin (AWS-2025-025) on November 5, 2025, categorizing the issue as important and urging immediate remediation to prevent potential credential exposure on shared systems.
The vulnerability does not allow for remote exploitation but poses a significant risk in environments where multiple users share the same Linux client. AWS recommends upgrading to version 2025.0 or later of the Amazon WorkSpaces client for Linux to mitigate the risk. Organizations relying on AWS virtual desktop infrastructure are advised to review their deployments and ensure all affected clients are updated to prevent unauthorized access and potential data compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CVE-2025-12779 disclosed for Amazon WorkSpaces Client for Linux
A high-severity vulnerability, CVE-2025-12779, was publicly disclosed affecting Amazon WorkSpaces Client for Linux. The issue exposed authentication tokens, creating a risk of token theft for Linux users of the client.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Critical CVE-2025-12779 Vulnerability Exposes Amazon WorkSpaces for Linux Users to Token Theft
thecyberexpress.com
Open sourceCVE-2025-12779 - Amazon WorkSpaces Client for Linux Authentication Token Exposure
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AWS discloses multiple flaws across SageMaker, Redshift, RabbitMQ, Braket, and WorkSpaces
AWS published a series of security bulletins covering vulnerabilities across several products and SDKs, including **model artifact integrity verification issues** in the Amazon SageMaker Python SDK (`CVE-2026-8596`, `CVE-2026-8597`), a **heap out-of-bounds read** in `coreMQTT` MQTT5 property parsing (`CVE-2026-8686`), and a **remote code execution** flaw in the `amazon-redshift-python-driver` (`CVE-2026-8838`). The company also disclosed an **arbitrary file read** issue in the `rabbitmq-aws` plugin (`CVE-2026-9133`), **tool execution without authorization via piped stdin** in Kiro CLI (`CVE-2026-9255`), and **insecure deserialization** in Amazon Braket SDK job results processing (`CVE-2026-9291`). A separate advisory addressed **improper authentication token handling** in the Amazon WorkSpaces client for Linux. Taken together, the disclosures span cloud development tools, messaging components, data platforms, quantum-computing SDKs, and end-user clients, indicating a broad patching requirement for organizations using AWS software. Security teams should identify affected packages and clients in their environments and prioritize remediation for flaws that could enable **remote code execution, unauthorized actions, file disclosure, or unsafe processing of untrusted data**.
Jun 30, 2026
AWS VPN Client for macOS Privilege Escalation Vulnerability (CVE-2025-11462)
A critical vulnerability, tracked as CVE-2025-11462, was discovered in the AWS Client VPN application for macOS, allowing local users to escalate privileges to root. The flaw, which received a CVSS score of 9.3, is caused by improper link resolution before file access in the AWS VPN Client for macOS versions 1.3.2 through 5.2.0. Insufficient validation checks on the log destination directory during log rotation enable a non-administrator user to create a symbolic link from a client log file to a privileged location. When log rotation occurs, this symlink can be exploited to inject arbitrary code into the log file, which is then executed with root privileges. The vulnerability is not remotely exploitable, requiring local access to the affected system. Security researchers highlighted that a crafted API call could be used to inject malicious code into the log file, further increasing the risk of exploitation. AWS has released a patched version, AWS VPN Client for macOS 5.2.1, and strongly recommends all users upgrade to this or the latest available version to mitigate the risk. The vulnerability was publicly disclosed on October 7, 2025, and has been classified as critical due to the potential for full system compromise. No evidence of active exploitation in the wild has been reported at the time of disclosure, but the technical details suggest that exploitation would be straightforward for a local attacker. The flaw does not affect other operating systems or AWS VPN clients for platforms other than macOS. Organizations using affected versions are urged to update immediately and review system logs for any signs of suspicious activity. The vulnerability underscores the importance of secure log handling and proper validation of file operations in privileged applications. Security advisories recommend restricting local access to systems running vulnerable versions until patches are applied. The issue was identified and reported through responsible disclosure channels, and AWS responded promptly with a fix. The vulnerability highlights ongoing risks associated with privilege escalation flaws in widely used enterprise software.
Jun 30, 2026
Hardcoded AWS Root Credentials in Worksnaps Client Exposed Production S3 Data
Silver Leaf Technologies' **Worksnaps** client was found to contain hardcoded cloud credentials that exposed the company's production environment, a flaw tracked as **`CVE-2025-10560`** and rated **critical**. Security researchers reported that affected client versions before **`1.6.20260201`** embedded AWS access keys, S3 bucket names, and related cloud access details in application binaries, allowing anyone who obtained the software to extract the secrets. The disclosed credentials reportedly authenticated as the vendor's **AWS root identity**, enabling access to production resources including S3 buckets that stored sensitive user data such as screenshots of employee desktops. SEC Consult said the issue extended beyond the initial embedded keys: after the vendor removed the original hardcoded root credentials, the client still received decryptable AWS credentials from the server during login, leaving access to screenshot buckets effectively unresolved for a period. Researchers also noted additional hardcoded **UCloud** credentials, though their validity was not confirmed. Worksnaps has since released **`1.6.20260201`** as the fixed version, while recommended response actions include immediate credential rotation, restricting or removing sensitive data from exposed buckets, and upgrading all affected clients.
Jun 29, 2026