CVE-2025-12779 is a vulnerability classified under CWE-497, indicating unauthorized access to sensitive system information. It affects the Amazon WorkSpaces client for Linux versions 2023.0 through 2024.8. The root cause is improper handling of authentication tokens used for DCV-based WorkSpaces sessions. Specifically, the client fails to adequately isolate or protect these tokens in the local environment, allowing other local users on the same machine to extract them. Once an attacker obtains another user's authentication token, they can impersonate that user and access their WorkSpace environment without needing additional credentials or user interaction. The vulnerability requires the attacker to have local access with limited privileges (PR:L) but does not require user interaction (UI:N). The impact on confidentiality, integrity, and availability is high because unauthorized access to a WorkSpace can lead to data theft, manipulation, or disruption of services. The vulnerability has a CVSS 4.0 score of 8.8, reflecting its critical nature. Amazon has released version 2025.0 of the WorkSpaces client for Linux to remediate this issue by improving token handling and isolation. No known exploits are currently in the wild, but the vulnerability's characteristics make it a significant risk in multi-user Linux environments where WorkSpaces clients are used.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of remote desktop sessions conducted via Amazon WorkSpaces on Linux clients. Attackers with local access to shared machines—such as in co-working spaces, shared offices, or multi-user systems—could extract authentication tokens and gain unauthorized access to sensitive corporate environments. This could lead to data breaches, intellectual property theft, or unauthorized changes to critical systems. The availability of WorkSpaces sessions could also be impacted if attackers disrupt or lock out legitimate users. Organizations relying heavily on Amazon WorkSpaces for remote work, especially those with Linux-based client deployments, face increased exposure. The risk is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government agencies across Europe. Additionally, the vulnerability could facilitate lateral movement within networks if attackers escalate privileges after initial token theft.

European organizations should immediately upgrade all Amazon WorkSpaces Linux clients to version 2025.0 or later to remediate this vulnerability. Beyond patching, organizations should enforce strict local user access controls on shared machines to limit the number of users with local login capabilities. Implementing endpoint security solutions that monitor for unusual token access or extraction attempts can provide early detection. Employing multi-factor authentication (MFA) for WorkSpaces sessions can add an additional layer of security, mitigating risks if tokens are compromised. Network segmentation should be used to isolate critical WorkSpaces environments from less secure local user environments. Regular audits of user permissions and session logs can help identify suspicious activity. Finally, educating users about the risks of shared machines and enforcing policies to avoid sharing Linux client devices for WorkSpaces access can reduce exposure.