Summary : Amazon patched a vulnerability in the Linux version of its Workspace’s client that improperly handles authentication tokens in versions from 2023.0 through 2024.8.
OEM
Amazon
Severity
High
CVSS Score
8.8
CVEs
CVE-2025-12779
POC Available
No
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
This flaw allows local users on the same machine such as in shared, multi-user environments to extract valid authentication tokens.
Often used to impersonate other users and gain unauthorized access to their virtual desktop sessions, exposing sensitive data and applications.
The issue does not allow remote exploitation, but it poses a significant risk in workplaces using shared Linux systems for Workspace’s access.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Improper Authentication Token Handling in Amazon WorkSpaces Client
CVE-2025-12779
Amazon WorkSpaces client for Linux
High
2025.0
Technical Summary
The root cause lies in insecure management of authentication tokens, enabling token extraction by unintended local users. This vulnerability was assigned to high severity, prompting Amazon to issue a fix in the 2025.0 version of the client.
The update improves session isolation and secures token handling, protecting against lateral token theft.
Users and Administrators are strongly advised to upgrade promptly to avoid unauthorized access risks associated with multi-user Linux setups commonly found in corporate or virtual machine environments.
CVE ID
Component Affected
Vulnerability Details
Impact
CVE-2025-12779
Amazon WorkSpaces client for Linux (versions 2023.0 through 2024.8)
Local users on shared Linux machines can extract authentication tokens due to improper token handling, allowing them to access other users’ Workspaces.
Unauthorized access to another user’s workspace
Recommendations
Update the Amazon Workspace’s client for Linux immediately to version 2025.0 or later.
Conclusion: This vulnerability highlights the criticality of robust token security in virtual desktop clients, especially for environments with shared access.
Amazon’s swift patch release underscores the need for continuous vigilance and timely updates to maintain secure remote workspace solutions and prevent privilege escalation through token leakage. Upgrading to the patched version effectively mitigates the exposure and secures user sessions.
The recent disruption that sparked world wide impact and effect is the AWS outage. The AWS (Amazon web services) disruption happened on October 20, 2025, centered on its “US‑EAST‑1” cloud region . The disruption triggered a series of failures and disrupted normal working of number of consumer apps, finance, government portals and parts of Amazon’s own services.
The AWS outage a case of internet outage, impacted over disruptions at over 3,500 companies across more than 60 countries, placing this among the largest internet outages on record for Downdetector.
Now the crucial question that hovers the mind is how the disruption affected digital services and what does this means to organizations relying on third party cloud service providers, to developers and other who are in the ecosystem and rely on AWS service that run uptime.
AWS covers 30% of the global cloud infrastructure market and such a kind of disruption is hard for the world relying on AWS infra. Many global apps and websites rely heavily on AWS for cloud hosting and data processing, which means the disruption can rapidly become widespread and create a knock out effect to many services and businesses to return to normal may witness challenege.
Origin of the AWS incident:
The incident originated in the US-EAST-1 (Northern Virginia) region one of AWS’s oldest and most heavily utilized hubs — and impacted key services such as DynamoDB, EC2, Lambda, and SQS.
As services in all these started failing the spread was wide and impacted AWS’s internal infrastructure and external applications, affecting end-user experiences who were on Snapchat, Pinterest, Fortnite, Signal etc. Earlier it happened in the same region US-East-1. If we go by history (2017, 2021 & 2023).
The outage echoes shed light on the most crucial point, i.e. over reliance on single point of cloud infrastructure. AWS pointed on DNS issues and admitted global services or features that rely on US-EAST-1 endpoints, such as IAM updates and DynamoDB Global tables, “may also be experiencing issues.”
DNS Issue resolved as per AWS:
After the disruption and AWS says the DNS issue has “been fully mitigated”, and most AWS Service operations are succeeding normally now. However, it added that some requests may be throttled “while we work toward full resolution.”
Technical Analysis AWS Disruption:
The investigation revealed how a control plane failure in the US-EAST-1 region, triggered by an unexpected behavior within AWS’s internal load balancing and routing layer. So a configuration change happened in the service responsible for metadata and service discovery propagated inconsistently.
This lead to authentication and routing failures for dependent instances and services which further expanded and caused choke and resource exhaustion across interdependent services like EC2, Lambda, and S3, all of which rely on low-latency internal communication.
The largest hit services
The heaviest‑hit services by report count included Snapchat (~3M), AWS itself (~2.5M), Roblox (~716k), Amazon retail (~698k), Reddit (~397k), Ring (~357k) and Instructure (~265k). The UK alone generated more than 1.5M reports, far exceeding a typical day’s ~1M global baseline across all markets, highlighting both the unique intensity and breadth of this event.
All apps we are using are mostly chain together managed services like storage, queues, and serverless functions. If DNS cannot reliably resolve a critical endpoint (for example, the DynamoDB API involved here), errors cascade through upstream APIs and cause visible failures in apps users do not associate with AWS. That is precisely what Downdetector recorded across Snapchat, Roblox, Signal, Ring, HMRC, and others.
Cloud infrastructure should be of national importance
The AWS outage/ disruption highlighted how cloud infrastructures are not risk free and over dependence eon single point. Any fault in the infrastructure stack on which everything else depends and from which failures can trigger and subsequent redundancy.
The need of the hour is to recognize that Cloud infrastructure should be of national importance and any failure on the entire stack can be overcome with systematic approach. This will require by pulling down or dismantling each part and diversify the route so that on event of outage , the rest of the part of can be recovered by not depending on single point of the platform.
Organizations relying solely on a single AWS region or without robust multi-region, multi-cloud, or hybrid failover mechanisms faced significant downtime and operational risk, a wake up call for governments.
Various government across Europe recognized the risk associated with cloud infrastructure introduced policy’s for e.g., EU’s flagship Digital Operational Resilience Act (DORA) introduces EU-level oversight of critical ICT third-party providers, while the UK’s Critical Third Parties act for finance. These tool kits will act as balancers when it comes to reporting, stress management, incident reporting and adhering to transparency that is required as mandate.
Why Network resilience is important ?
The AWS disruption highlighted importance of network resilience. The reason being network resilience prevents single points of failure with backup systems and alternative pathways. Further this helps to adapt to sudden increases in demand without degrading performance. At the same time efficiently reallocates resources and adapts to changing conditions.
Summary: A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.
OEM
AWS
Severity
Critical
CVSS Score
9.5
CVEs
CVE-2025-4318
POC Available
Yes
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
A critical vulnerability has been discovered in AWS Amplify Studio’s UI generation tool, @aws-amplify/codegen-ui, which allows Remote Code Execution (RCE) during build or render time.
Tracked as CVE-2025-4318, this flaw originates from unsafe evaluation of user-defined JavaScript expressions without proper input validation or sandboxing.
It has been assigned a CVSS score of 9.5. Exploitation could lead to unauthorized command execution, leakage of AWS secrets, or full compromise of CI/CD environments. AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Unsafe Expression Evaluation in Codegen-UI
CVE-2025-4318
@aws-amplify/codegen-ui
Critical
2.20.3
Technical Summary
The vulnerability stems from how AWS Amplify Studio processed dynamic expressions defined in component fields (eg: label, placeholder).
In affected versions, these expressions were directly evaluated using eval() without any filtering or validation, assuming they were safe.
This behavior enabled attackers to inject malicious code into UI schemas that would execute during the build or runtime process particularly dangerous in CI/CD pipelines where secrets and environment variables are accessible.
A working Proof-of-Concept (PoC) has been developed and shared by researchers, which simulates the exploit using a crafted JSON component, a Node.js script and a Python server. The PoC demonstrates successful RCE via malicious input evaluated by the vulnerable tool.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-4318
AWS Amplify Studio (<=2.20.2)
Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.
RCE, exposure of secrets, CI/CD compromise, unauthorized system control
Remediation:
Upgrade Immediately: Update @aws-amplify/codegen-ui to version 2.20.3 or later, which replaces unsafe evaluation logic with a sandboxed function (safeEval) and a keyword blacklist.
Conclusion: CVE-2025-4318 is a severe RCE vulnerability in AWS Amplify Studio caused by unsafe evaluation of JavaScript expressions during UI component rendering or generation.
A fully functional PoC exploit has been published, which clearly demonstrates the risk of using eval() in dynamic application code without input validation.
The fixed version mitigates this risk by introducing a sandboxed evaluation mechanism and filtering dangerous keywords. Organizations using Amplify Studio should upgrade immediately and audit all inputs and build processes for safety.
AWS security teams have advised developers to immediately upgrade to version 2.20.3 or later and audit all existing component schemas for potentially unsafe expressions.
The incident highlights the critical importance of implementing secure coding practices in low-code development platforms where user input directly influences code generation and execution processes.
Threat actorsdemand for Ransom payment made for the symmetric AES-256 keys required to decrypt it
Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.
The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.
The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.
“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.
According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.
In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it.
Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.
Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.
As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.
