Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.
Articles & Coverage 1
AnalysisAI
Local privilege escalation in Amazon WorkSpaces for Windows versions before 2.6.2034.0 enables authenticated low-privileged users to write arbitrary files to protected system locations, achieving SYSTEM-level access. The vulnerability exploits a race condition (CWE-367) in the Skylight Workspace Config Service's log rotation mechanism. No public exploit or active exploitation confirmed at time of analysis, but local access requirement limits attack surface to compromised user accounts or insider threats.
Technical ContextAI
Amazon WorkSpaces is a managed desktop-as-a-service solution running Windows environments. The vulnerable component is the Skylight Workspace Config Service, a privileged system service that performs log rotation operations. The underlying flaw is a time-of-check-time-of-use (TOCTOU) race condition (CWE-367) during log file operations. When the service rotates logs running with SYSTEM privileges, it fails to properly validate file system permissions between checking and using file paths. A low-privileged user can exploit this race window by manipulating symbolic links or directory junctions, redirecting the service's write operations to protected system directories. This technique, known as arbitrary file write via privileged file operations, is a classic local privilege escalation vector in Windows environments where services with elevated privileges perform predictable file system operations.
RemediationAI
Upgrade Amazon WorkSpaces for Windows to version 2.6.2034.0 or later, which contains the vendor-released fix for the log rotation race condition. Consult AWS Security Bulletin 2026-025-AWS at https://aws.amazon.com/security/security-bulletins/2026-025-aws/ for deployment instructions and compatibility notes. If immediate patching is not feasible, implement compensating controls: restrict local user accounts to standard user privileges without local admin rights (reduces attack prerequisites but does not eliminate the PR:L threat), enable Windows Defender Application Control or AppLocker to prevent unauthorized executable placement in system directories (limits post-exploitation impact but introduces application compatibility overhead), deploy endpoint detection and response (EDR) solutions configured to detect symbolic link manipulation and suspicious file operations by system services (provides detection but not prevention). Monitor WorkSpaces logs for unusual Skylight Workspace Config Service activity or unexpected file creation in protected directories. Note that compensating controls provide defense-in-depth but do not fully mitigate the vulnerability-patching remains the primary remediation.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27149