CVE-2025-12779 is a vulnerability classified under CWE-497, indicating improper access control to sensitive system information. Specifically, the Amazon WorkSpaces client for Linux versions 2023.0 through 2024.8 mishandles authentication tokens used for DCV-based WorkSpaces. These tokens, which are critical for authenticating users to their virtual desktop environments, can be exposed to other local users on the same machine due to insufficient isolation or improper storage mechanisms. An attacker with low-privilege local access can extract these tokens without requiring user interaction, thereby impersonating other users and gaining unauthorized access to their WorkSpaces. The vulnerability affects confidentiality (exposure of authentication tokens), integrity (unauthorized access and potential manipulation of user sessions), and availability (possible session hijacking or disruption). The CVSS 4.0 score of 8.8 reflects the high impact and relatively low complexity of exploitation, with partial privileges and no user interaction needed. Amazon has released version 2025.0 of the WorkSpaces client for Linux to remediate this issue by improving token handling and isolation. No public exploits have been reported yet, but the vulnerability poses a significant risk in multi-user Linux environments where WorkSpaces clients are shared or accessible by multiple users.

For European organizations, this vulnerability poses a serious risk to the security of virtual desktop infrastructure (VDI) environments, especially those leveraging Amazon WorkSpaces on Linux clients. Unauthorized access to authentication tokens could lead to lateral movement within corporate networks, data breaches, and compromise of sensitive business information. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, could face regulatory penalties if such breaches occur. The vulnerability undermines user session confidentiality and integrity, potentially allowing attackers to impersonate legitimate users without detection. Given the increasing adoption of cloud-based VDI solutions in Europe and the prevalence of Linux in enterprise environments, the threat surface is significant. Additionally, the lack of required user interaction and the low privilege needed for exploitation increase the likelihood of successful attacks in shared or multi-user systems.

The primary mitigation is to upgrade the Amazon WorkSpaces client for Linux to version 2025.0 or later, where the token handling flaw has been corrected. Organizations should enforce strict access controls on Linux client machines to limit local user access and prevent unauthorized users from accessing shared resources. Implementing endpoint security solutions that monitor and restrict access to sensitive files and memory regions can help detect and block token extraction attempts. Additionally, organizations should audit and restrict the use of shared Linux workstations where multiple users have accounts, minimizing the risk of token exposure. Employing multi-factor authentication (MFA) for WorkSpaces access can reduce the impact of token theft by requiring additional verification. Regularly reviewing and rotating authentication tokens and session credentials can further limit the window of opportunity for attackers. Finally, educating users about the risks of local privilege escalation and enforcing least privilege principles on client machines will reduce exposure.