Amazon WorkSpaces Linux Bug Lets Attackers Steal Credentials

A newly disclosed security flaw in Amazon WorkSpaces client for Linux could allow attackers to extract valid authentication tokens and gain unauthorized access to corporate environments.

The vulnerability poses a serious risk to organizations relying on Amazon’s desktop-as-a-service platform for remote operations.

In its advisory, Amazon AWS stated “Under certain circumstances, an unintended user may be able to extract a valid authentication token from the client machine and access another user’s WorkSpace.”

Vulnerability Scope and Impact

The vulnerability (CVE-2025-12779) affects Amazon WorkSpaces client versions 2023.0 through 2024.8, exposing enterprises that depend on Linux-based or hybrid remote desktop infrastructure. 

Improper isolation between local user sessions means that any user with command-line or system-level access on a shared machine could retrieve another user’s authentication credentials.

This vulnerability creates a potential risk of lateral movement using compromised credentials.

Inside the Token Flaw

The root cause lies in improper token handling. When the Linux client generates and stores DCV-based authentication tokens, it fails to enforce adequate isolation between users on the same host system. 

This creates a window where unintended users could extract valid tokens, bypassing session-level authentication safeguards.

While Amazon WorkSpaces includes multiple cloud-side security layers, this client-side oversight represents a credential management failure. 

In shared or multi-user systems — common in development and testing environments — an attacker could potentially impersonate another user, accessing sensitive data or business applications tied to that account.

The vulnerability has a CVSS score of 8.8 and was resolved in the Amazon WorkSpaces client for Linux version 2025.0 and later. 

There is currently no evidence of active exploitation in the wild, but the ease of local access may make proof-of-concept (PoC) exploits likely in the near future.

Defend Your WorkSpaces Environment

To limit exposure to CVE-2025-12779 and protect Amazon WorkSpaces environments, organizations should take the following actions:

• Upgrade immediately to Amazon WorkSpaces for Linux version 2025.0 or higher, and ensure all deployments are patched using centralized or automated management tools.
• Conduct a full client inventory to identify all affected Linux WorkSpaces installations and remove or isolate unsupported versions.
• Harden endpoint security by restricting root/sudo access, enforcing proper file permissions, and clearing cached tokens or session data after logout.
• Implement strong access controls by applying least-privilege principles, enforcing MFA, and using short-lived authentication tokens for all WorkSpaces sessions.
• Enhance monitoring and incident response through log audits, SIEM alerts for unusual authentication activity, and regular vulnerability scanning.
• Strengthen network and IAM protections by segmenting WorkSpaces traffic, limiting API access, and enforcing IAM policies that minimize privilege exposure.

By prioritizing these controls, organizations can reduce the risk of token compromise and unauthorized access. 

When Endpoints Undermine the Cloud

This vulnerability highlights a theme in enterprise security: even robust cloud infrastructure can be undermined by weak points on the client side. 

The flaw underscores the importance of defense-in-depth, where both cloud and endpoint layers enforce strong authentication, encryption, and session isolation. 

It also reinforces the need for automated update pipelines that can push patches rapidly across distributed systems without manual intervention.

As organizations address these client-side risks, adopting broader cloud security best practices becomes essential to building true cyber resilience.