Amazon Web Services (AWS) has disclosed a significant security flaw in its WorkSpaces client for Linux, potentially allowing local attackers to steal authentication tokens and hijack user sessions.
Identified as CVE-2025-12779, the vulnerability stems from improper handling of authentication tokens in the client software, raising concerns for organizations relying on virtual desktop infrastructure (VDI) for remote work.
The issue affects versions from 2023.0 to 2024.8 and was publicly detailed in AWS security bulletin AWS-2025-025 on November 5, 2025.
This flaw exposes authentication tokens used for Desktop and Application Streaming (DCV) protocol in WorkSpaces, a cloud-based service that delivers secure virtual desktops to end-users.
In multi-user environments, such as shared Linux machines in enterprise settings, a malicious local user could extract a valid token from the client’s memory or temporary files.
This token theft enables unauthorized access to another user’s WorkSpace, potentially leading to data exfiltration, privilege escalation, or lateral movement within the network.
While the vulnerability requires physical or local access to the affected machine limiting remote exploitation its implications are severe for high-security sectors like finance and healthcare, where shared systems are common.
Vulnerability Breakdown
The root cause lies in the client’s inadequate token isolation. During authentication, the WorkSpaces client processes and stores tokens insecurely, making them readable by other processes or users on the same system.
AWS noted that under specific conditions, such as concurrent sessions or debug logging, tokens become accessible via standard Linux tools like process monitoring or file enumeration.
No sophisticated exploits are needed; a low-privilege local user suffices. The bulletin emphasizes that this issue does not impact Windows or macOS clients, narrowing the scope to Linux deployments.
| CVE ID | Description | Affected Versions | CVSS Score | Severity |
|---|---|---|---|---|
| CVE-2025-12779 | Improper authentication token handling exposes DCV tokens to local users, enabling unauthorized WorkSpace access. | Amazon WorkSpaces Linux client 2023.0 – 2024.8 | 6.5 (Medium) | Important |
AWS has classified this as “Important,” urging immediate attention due to the potential for session hijacking.
Mitigation Steps and Outlook
To address the vulnerability, AWS recommends upgrading to version 2025.0 or later, available via the official Amazon WorkSpaces Client Download page.
The update enforces stricter token encryption and ephemeral storage, eliminating exposure risks.
For organizations still on legacy versions, AWS has announced end-of-support for affected releases, prompting proactive notifications to customers.
In the interim, administrators should enforce least-privilege access on Linux hosts, monitor for anomalous token usage, and consider isolating WorkSpaces sessions.
This incident underscores the evolving threats in cloud VDI, where client-side security often lags behind server protections.
As remote work persists, timely patching remains crucial to safeguard hybrid environments.
 has disclosed a significant security flaw in its WorkSpaces client for Linux, potentially allowing local){kind=link}