Cyber Posture

CVE-2026-5707

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 31.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop…

more

host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of unsanitized inputs such as virtual desktop session names to prevent OS command injection attacks.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of flaws like this command injection vulnerability through timely patching or upgrades.

SI-9 Information Input Restrictions partial match
prevent

Enforces restrictions on information inputs like session names to limit the scope for crafting malicious payloads.

Security SummaryAI

CVE-2026-5707 is a command injection vulnerability stemming from unsanitized input in an OS command used for virtual desktop session name handling in AWS Research and Engineering Studio (RES). The issue affects RES versions 2025.03 through 2025.12.01, where insufficient input validation allows malicious payloads to be injected into system commands executed on the virtual desktop host. Classified under CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for root-level compromise.

A remote authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By crafting a malicious session name, the attacker injects and executes arbitrary OS commands as root on the virtual desktop host, achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) within the unchanged scope (S:U).

AWS advisories recommend upgrading to RES version 2026.03 or applying the corresponding mitigation patch to existing environments. Detailed guidance is available in the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-014-aws/, the related GitHub issue at https://github.com/aws/res/issues/151, and the release notes for version 2026.03 at https://github.com/aws/res/releases/tag/2026.03.

Details

CWE(s)
CWE-78

Affected Products

amazon
research and engineering studio
≤ 2026.03

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Command injection vulnerability allows remote low-privileged attackers to execute arbitrary OS commands as root, directly enabling exploitation of remote services (T1210), exploitation for privilege escalation (T1068), and command and scripting interpreter execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References