A severe security vulnerability has been identified in the Amazon WorkSpaces client for Linux, posing a substantial risk for organizations utilizing AWS’s virtual desktop infrastructure. This flaw, designated as CVE-2025-12779, allows malicious local users to extract valid authentication tokens, leading to unauthorized access to other users’ Workspace sessions.
On November 5, 2025, AWS published security bulletin AWS-2025-025 to underscore the urgency of addressing this critical issue. The vulnerability arises from improper token management within the WorkSpaces client and affects versions ranging from 2023.0 to 2024.8.
| CVE ID | Impacted Products | Impacted Versions | CVSS Score | Resolution |
| CVE-2025-12779 | Amazon WorkSpaces client for Linux | 2023.0 through 2024.8 | Pending | Upgrade to 2025. |
The risk escalates particularly when these versions are deployed on shared Linux systems or in multi-user environments, rendering authentication tokens accessible to local users. An attacker operating in such a setting can exploit this vulnerability to extract tokens, thereby gaining control over another user’s virtual workspace, which grants full access to that individual’s private environment and associated resources.
Token Extraction and Access Control Implications
The technical nature of this vulnerability constitutes a significant breach in desktop virtualization security. Unlike conventional network-based attacks, this threat is localized, making it especially hazardous in environments where shared systems or contractor access is commonplace. The exposed authentication tokens function as valid credentials, allowing attackers to establish authenticated sessions without alerting standard intrusion detection systems.
This means an attacker could sustain consistent access to sensitive data and business systems within a compromised Workspace. In response to this critical issue, AWS has strongly urged all users on the affected versions to upgrade to version 2025.0 or higher immediately, as support for the vulnerable versions has been discontinued.
Organizations should take swift action to update all impacted deployments, particularly in shared settings where multiple users access the same Linux systems. It is essential for security teams to audit their WorkSpaces installations to pinpoint instances running versions 2023.0 through 2024.8 and to execute a comprehensive update strategy tailored to all affected systems. High-risk environments handling sensitive data should receive priority in this effort.
Additionally, organizations are advised to meticulously review access logs for any suspicious attempts at token extraction or unauthorized access to WorkSpaces during the period of vulnerability. By recognizing the potential implications of this breach, businesses can better protect themselves against emerging cybersecurity threats.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
