EUVD-2026-19548
GHSA-gxfh-rxpm-86pc
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
Analysis
Remote code execution as root in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01 allows authenticated remote attackers to execute arbitrary OS commands via unsanitized input in virtual desktop session names. The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78 command injection), enabling privilege escalation to root on virtual desktop hosts. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all AWS RES deployments and identify instances running versions 2025.03-2025.12.01; disable or restrict RES access if patching cannot complete immediately. Within 7 days: Apply vendor-released patch to version 2026.03 across all affected RES instances and validate deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today