Hardcoded AWS Root Credentials in Worksnaps Client Exposed Production S3 Data
Silver Leaf Technologies' Worksnaps client was found to contain hardcoded cloud credentials that exposed the company's production environment, a flaw tracked as CVE-2025-10560 and rated critical. Security researchers reported that affected client versions before 1.6.20260201 embedded AWS access keys, S3 bucket names, and related cloud access details in application binaries, allowing anyone who obtained the software to extract the secrets. The disclosed credentials reportedly authenticated as the vendor's AWS root identity, enabling access to production resources including S3 buckets that stored sensitive user data such as screenshots of employee desktops.
SEC Consult said the issue extended beyond the initial embedded keys: after the vendor removed the original hardcoded root credentials, the client still received decryptable AWS credentials from the server during login, leaving access to screenshot buckets effectively unresolved for a period. Researchers also noted additional hardcoded UCloud credentials, though their validity was not confirmed. Worksnaps has since released 1.6.20260201 as the fixed version, while recommended response actions include immediate credential rotation, restricting or removing sensitive data from exposed buckets, and upgrading all affected clients.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
SEC Consult publicly discloses Worksnaps credential exposure
On 2026-06-18, SEC Consult publicly disclosed CVE-2025-10560, describing hardcoded cloud credentials in Worksnaps client binaries that exposed production AWS resources and sensitive S3-hosted screenshot data.
Worksnaps fix released in version 1.6.20260201
Worksnaps version 1.6.20260201 was identified as the fixed release for CVE-2025-10560, addressing the hardcoded cloud credential exposure in earlier client versions.
TypeBot fixes CVE-2026-48768 in version 3.17.0
TypeBot addressed CVE-2026-48768 in version 3.17.0, which fixed the unsanitized fileName handling and related upload control weaknesses described in the advisory.
TypeBot arbitrary S3 object write vulnerability is published
On 2026-06-17, CVE-2026-48768 was published for TypeBot, describing an unauthenticated arbitrary S3 object write flaw in the generate-upload-url endpoint affecting version 3.16.1 and earlier.
SEC Consult reports Worksnaps hardcoded AWS root credentials to vendor
On 2025-07-17, SEC Consult reported to Silver Leaf Technologies that the Worksnaps Windows client contained hardcoded AWS credentials providing root-level access to the vendor's production cloud environment.
Vendor implements further Worksnaps client and server-side mitigations
Silver Leaf Technologies later introduced additional mitigations, including pre-signed PUT URLs and server-side changes, to address the exposed cloud access issue in Worksnaps.
Vendor removes original hardcoded root credentials from Worksnaps client
After the initial report, Silver Leaf Technologies updated the Worksnaps client to remove the originally embedded AWS root credentials. SEC Consult found, however, that the client still obtained decryptable AWS credentials from the server during login, so access to screenshot buckets remained possible.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2025-10560 - Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources
cvefeed.io
Open sourceCVE-2026-48768 - TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName
cvefeed.io
Open sourceFull Disclosure: SEC Consult SA-20260618-0 :: Hardcoded Root Cloud Credentials in Application Binaries in Silver Leaf Technologies - Worksnaps.net Worksnaps
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Authentication Token Exposure Vulnerability in Amazon WorkSpaces Client for Linux
A critical vulnerability, tracked as CVE-2025-12779, was discovered in the Amazon WorkSpaces client for Linux, specifically affecting versions 2023.0 through 2024.8. The flaw arises from improper handling of authentication tokens, which can allow local users on the same client machine to extract valid tokens and gain unauthorized access to other users’ WorkSpace sessions. AWS issued a security bulletin (AWS-2025-025) on November 5, 2025, categorizing the issue as important and urging immediate remediation to prevent potential credential exposure on shared systems. The vulnerability does not allow for remote exploitation but poses a significant risk in environments where multiple users share the same Linux client. AWS recommends upgrading to version 2025.0 or later of the Amazon WorkSpaces client for Linux to mitigate the risk. Organizations relying on AWS virtual desktop infrastructure are advised to review their deployments and ensure all affected clients are updated to prevent unauthorized access and potential data compromise.
Jun 29, 2026
AWS discloses multiple flaws across SageMaker, Redshift, RabbitMQ, Braket, and WorkSpaces
AWS published a series of security bulletins covering vulnerabilities across several products and SDKs, including **model artifact integrity verification issues** in the Amazon SageMaker Python SDK (`CVE-2026-8596`, `CVE-2026-8597`), a **heap out-of-bounds read** in `coreMQTT` MQTT5 property parsing (`CVE-2026-8686`), and a **remote code execution** flaw in the `amazon-redshift-python-driver` (`CVE-2026-8838`). The company also disclosed an **arbitrary file read** issue in the `rabbitmq-aws` plugin (`CVE-2026-9133`), **tool execution without authorization via piped stdin** in Kiro CLI (`CVE-2026-9255`), and **insecure deserialization** in Amazon Braket SDK job results processing (`CVE-2026-9291`). A separate advisory addressed **improper authentication token handling** in the Amazon WorkSpaces client for Linux. Taken together, the disclosures span cloud development tools, messaging components, data platforms, quantum-computing SDKs, and end-user clients, indicating a broad patching requirement for organizations using AWS software. Security teams should identify affected packages and clients in their environments and prioritize remediation for flaws that could enable **remote code execution, unauthorized actions, file disclosure, or unsafe processing of untrusted data**.
Jun 30, 2026
AWS Research and Engineering Studio Flaws Enable Root Command Execution and AWS Privilege Escalation
AWS disclosed two high-severity vulnerabilities in **Research and Engineering Studio (RES)** that affect releases from `2025.03` through versions prior to `2026.03`. The first, **`CVE-2026-5707`**, is a `CWE-78` command injection flaw in virtual desktop session name handling that could let a remote authenticated attacker execute arbitrary commands as **root** on a virtual desktop host by supplying a crafted session name. The issue carries a CVSS v3.1 rating of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, reflecting high impact across confidentiality, integrity, and availability. AWS also disclosed **`CVE-2026-5708`**, a `CWE-915` privilege-escalation flaw in the RES `CreateSession` API caused by improper control of user-modifiable attributes. An authenticated attacker could use a crafted API request to escalate privileges, assume the virtual desktop host instance profile permissions, and access AWS resources and services. AWS directed customers to upgrade to **RES `2026.03`** or apply the vendor mitigation patch, with details published through an AWS security bulletin, a GitHub issue, and the RES `2026.03` release notes.
Jun 29, 2026