CVE-2025-0500
7.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Amazon | WorkSpaces Client | 5.0.0 < 5.21.0 | affected |
| Amazon | WorkSpaces Client | 2023.0 < 2024.2 | affected |
| Amazon | AppStream 2.0 Client | 1.1.1025 < 1.1.1332 | affected |
| Amazon | DCV Client | 0 < 2023.1.6703 | affected |
| Amazon | DCV Client | 2020.2.7459 < 2023.1.9127 | affected |
| Amazon | WorkSpaces Client | 5.5.0 < 5.21.0 | affected |
| Amazon | DCV Client | 2020.2.2078 < 2023.1.6703 | affected |
Weaknesses
- CWE-295: CWE-295 Improper Certificate Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-001/
- https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-windows-client.html#windows-release-notes
- https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-osx-client.html#osx-release-notes
- https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-linux-client.html#linux-release-notes
- https://docs.aws.amazon.com/appstream2/latest/developerguide/client-release-versions.html
- https://docs.aws.amazon.com/dcv/latest/adminguide/doc-history-release-notes.html#dcv-2023-1-16388jul
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.