CVE-2025-0500
Published: 15 January 2025
Description
An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle.
Security Summary
CVE-2025-0500, published on 2025-01-15, affects the native clients for Amazon WorkSpaces when running the Amazon DCV protocol, Amazon AppStream 2.0, and Amazon DCV Clients. The vulnerability, linked to CWE-295, involves an issue that may allow an attacker to access remote sessions via a man-in-the-middle attack. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
A remote attacker with no required privileges can exploit this over the network, though exploitation demands high attack complexity and user interaction. By performing a man-in-the-middle attack, the attacker can gain unauthorized access to remote sessions, compromising the targeted systems.
AWS security bulletin AWS-2025-001 addresses the issue, with updated release notes available for Amazon AppStream 2.0 clients, Amazon DCV (including version 2023-1-16388jul), and Amazon WorkSpaces clients for Linux and macOS. Mitigation involves updating to the latest client versions as documented in these resources.
Details
- CWE(s)