Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name.
To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
AnalysisAI
Remote code execution as root in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01 allows authenticated remote attackers to execute arbitrary OS commands via unsanitized input in virtual desktop session names. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78 command injection), enabling privilege escalation to root on virtual desktop hosts. Vendor-released patch available in version 2026.03. CVSS 8.7 (High) with network attack vector, low complexity, and low privileges required. No public exploit identified at time of analysis, though the technical details in GitHub issue #151 may facilitate weaponization.
Technical ContextAI
This vulnerability exploits CWE-78 (OS Command Injection) in the virtual desktop session name handling component of AWS Research and Engineering Studio, a cloud-based research computing environment. The affected software fails to sanitize user-controlled input from session names before passing them to underlying operating system commands executed on virtual desktop hosts. In command injection attacks, special shell metacharacters (such as semicolons, backticks, pipes, or command substitution syntax) embedded in untrusted input allow attackers to break out of the intended command context and execute arbitrary system commands. The CPE identifier (cpe:2.3:a:aws:research_and_engineering_studio_(res)) confirms this affects the RES product line specifically. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation with low attack complexity requiring only low-privilege authentication, making this readily exploitable by any authenticated RES user. The root-level execution capability (implied by 'execute arbitrary commands as root') represents a complete compromise of the virtual desktop host, bypassing normal privilege separation.
RemediationAI
Upgrade immediately to AWS Research and Engineering Studio version 2026.03 or later, which contains the complete fix for this command injection vulnerability. The patched release is available at https://github.com/aws/res/releases/tag/2026.03. For environments where immediate upgrade is not feasible, AWS has released a mitigation patch applicable to existing RES 2025.x deployments, detailed in GitHub issue https://github.com/aws/res/issues/151. Organizations should review the AWS Security Bulletin at https://aws.amazon.com/security/security-bulletins/2026-014-aws/ for deployment-specific guidance and validation testing procedures. After remediation, audit virtual desktop session names and access logs for indicators of exploitation attempts, focusing on special shell metacharacters in historical session name data. Implement input validation policies for session names as a defense-in-depth measure even post-patch.
Privilege escalation in AWS Research and Engineering Studio (RES) versions prior to 2026.03 allows authenticated remote
Remote command injection in AWS Research and Engineering Studio (RES) 2024.10 through 2025.12.01 allows authenticated us
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19548
GHSA-gxfh-rxpm-86pc