A newly disclosed security flaw in the Amazon WorkSpaces client for Linux has raised serious concerns across organizations relying on AWS virtual desktop infrastructure. The vulnerability, identified as CVE-2025-12779, enables local attackers to extract valid authentication tokens and gain unauthorized access to other users’ WorkSpace sessions.
On November 5, 2025, AWS issued a formal security bulletin, AWS-2025-025, detailing the issue and urging immediate remediation. The bulletin categorized the flaw as “Important (requires attention)” and warned users that improper token handling in specific client versions could expose sensitive credentials on shared systems.
CVE-2025-12779 Vulnerability Details and Impact
According to the advisory, the vulnerability affects the Amazon WorkSpaces client for Linux versions 2023.0 through 2024.8. These versions mishandle authentication tokens used in DCV-based WorkSpaces, potentially leaving them accessible to other local users on the same client machine. Under the right conditions, a malicious local user could retrieve these tokens and establish unauthorized access to another individual’s virtual desktop session.
In its official statement, AWS noted:
“Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, an unintended user may be able to extract a valid authentication token from the client machine and access another user’s WorkSpace.”
The issue stems from improper token management within the affected client versions. When deployed in multi-user or shared Linux environments, these tokens may remain accessible to other users on the system. This creates a direct path for attackers to exploit the weakness and impersonate legitimate users.
Once a valid token is obtained, an attacker can connect to the victim’s WorkSpace as an authenticated user, bypassing standard access controls. Because the session would appear legitimate, traditional network-based intrusion detection tools might fail to detect the compromise. This allows an attacker to maintain persistent access to sensitive applications, data, and system resources hosted within the virtual environment.
The CVE-2025-12779 flaw highlights a critical risk in desktop virtualization environments where shared systems or contractor workstations are common. Unlike remote exploits that target network vulnerabilities, this issue operates at the local level.
AWS Response and Patch Availability
To mitigate the vulnerability, AWS confirmed that the problem has been resolved in the Amazon WorkSpaces client for Linux version 2025.0. Users are strongly advised to upgrade to version 2025.0 or newer as soon as possible. The updated client can be downloaded directly from the Amazon WorkSpaces Client Download page.
Furthermore, AWS announced the end of support for the affected client versions, effectively requiring all organizations to transition to the patched release. Security teams are urged to audit their current deployments to identify any instances still running versions 2023.0 through 2024.8. Immediate upgrades should be prioritized for environments where multiple users share access to the same Linux systems.
In addition to updating software, organizations are encouraged to review access logs for signs of unauthorized token extraction or abnormal login activity during the period when the vulnerability was active. This step is critical for detecting potential breaches that may have already occurred before the patch was applied.
