CVE-2025-0500
HIGHAmazon WorkSpaces, AppStream, and DCV Clients - Certificate Validation Session Exposure
Title source: manualDescription
An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle.
References (6)
Core 6
Core References
Various Sources vendor-advisory
https://aws.amazon.com/security/security-bulletins/AWS-2025-001/
Various Sources patch
release-notes
https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-windows-client.html#windows-release-notes
Various Sources patch
release-notes
https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-osx-client.html#osx-release-notes
Various Sources patch
release-notes
https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-linux-client.html#linux-release-notes
Various Sources patch
release-notes
https://docs.aws.amazon.com/appstream2/latest/developerguide/client-release-versions.html
Various Sources patch
release-notes
https://docs.aws.amazon.com/dcv/latest/adminguide/doc-history-release-notes.html#dcv-2023-1-16388jul
Scores
CVSS v3
7.5
EPSS
0.0049
EPSS Percentile
38.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-295
Status
published
Products (7)
Amazon/AppStream 2.0 Client
1.1.1025 - 1.1.1332
Amazon/DCV Client
< 2023.1.6703
Amazon/DCV Client
2020.2.2078 - 2023.1.6703
Amazon/DCV Client
2020.2.7459 - 2023.1.9127
Amazon/WorkSpaces Client
2023.0 - 2024.2
Amazon/WorkSpaces Client
5.0.0 - 5.21.0
Amazon/WorkSpaces Client
5.5.0 - 5.21.0
Published
Jan 15, 2025
Tracked Since
Feb 18, 2026