CVE-2025-0500: 
Amazon WorkSpaces client vulnerability analysis and mitigation

An issue was identified in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients. The vulnerability was discovered and disclosed on January 15, 2025, and was assigned identifier CVE-2025-0500. The vulnerability affects specific versions of these Amazon clients: Amazon WorkSpaces Windows client 5.20.0 or earlier, macOS client 5.20.0 or earlier, and Linux client 2024.1 or earlier; Amazon AppStream 2.0 Windows client 1.1.1326 or earlier; and Amazon DCV Windows client 2023.1.8993 or earlier, macOS client 2023.1.6203 or earlier, and Linux client 2023.1.6203 or earlier for all supported Linux distributions (AWS Bulletin).

The vulnerability is classified as CWE-295 (Improper Certificate Validation). According to the CVSS v4.0 scoring system, it received a HIGH severity score of 7.7 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). Under CVSS v3.1, it was rated as HIGH with a base score of 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD Database).

If exploited, this vulnerability could allow a malicious actor to perform a man-in-the-middle attack, potentially gaining unauthorized access to remote WorkSpaces, AppStream, or DCV sessions (AWS Bulletin).

AWS has released fixed versions of the affected clients. Users should upgrade to the following versions: Amazon WorkSpaces Windows and macOS client 5.21.0 or later, Linux client 2024.2 or later; Amazon AppStream 2.0 Windows client 1.1.1332 or later; Amazon DCV Windows client 2023.1.9127 or later, macOS and Linux client 2023.1.6703 or later (AWS Bulletin).