Skip to main content

Research And Engineering Studio Res CVE-2026-5707

| EUVDEUVD-2026-19548 HIGH
OS Command Injection (CWE-78)
2026-04-06 AMZN GHSA-gxfh-rxpm-86pc
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 06, 2026 - 21:46 euvd
EUVD-2026-19548
Analysis Generated
Apr 06, 2026 - 21:46 vuln.today
Patch released
Apr 06, 2026 - 21:46 nvd
Patch available
CVE Published
Apr 06, 2026 - 21:25 nvd
HIGH 8.7

DescriptionCVE.org

Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name.

To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

AnalysisAI

Remote code execution as root in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01 allows authenticated remote attackers to execute arbitrary OS commands via unsanitized input in virtual desktop session names. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78 command injection), enabling privilege escalation to root on virtual desktop hosts. Vendor-released patch available in version 2026.03. CVSS 8.7 (High) with network attack vector, low complexity, and low privileges required. No public exploit identified at time of analysis, though the technical details in GitHub issue #151 may facilitate weaponization.

Technical ContextAI

This vulnerability exploits CWE-78 (OS Command Injection) in the virtual desktop session name handling component of AWS Research and Engineering Studio, a cloud-based research computing environment. The affected software fails to sanitize user-controlled input from session names before passing them to underlying operating system commands executed on virtual desktop hosts. In command injection attacks, special shell metacharacters (such as semicolons, backticks, pipes, or command substitution syntax) embedded in untrusted input allow attackers to break out of the intended command context and execute arbitrary system commands. The CPE identifier (cpe:2.3:a:aws:research_and_engineering_studio_(res)) confirms this affects the RES product line specifically. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation with low attack complexity requiring only low-privilege authentication, making this readily exploitable by any authenticated RES user. The root-level execution capability (implied by 'execute arbitrary commands as root') represents a complete compromise of the virtual desktop host, bypassing normal privilege separation.

RemediationAI

Upgrade immediately to AWS Research and Engineering Studio version 2026.03 or later, which contains the complete fix for this command injection vulnerability. The patched release is available at https://github.com/aws/res/releases/tag/2026.03. For environments where immediate upgrade is not feasible, AWS has released a mitigation patch applicable to existing RES 2025.x deployments, detailed in GitHub issue https://github.com/aws/res/issues/151. Organizations should review the AWS Security Bulletin at https://aws.amazon.com/security/security-bulletins/2026-014-aws/ for deployment-specific guidance and validation testing procedures. After remediation, audit virtual desktop session names and access logs for indicators of exploitation attempts, focusing on special shell metacharacters in historical session name data. Implement input validation policies for session names as a defense-in-depth measure even post-patch.

Share

CVE-2026-5707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy