AWS Research and Engineering Studio Command Injection Vulnerability in Virtual Desktop Session Name Handling

A command injection vulnerability has been identified in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01. The issue arises from unsanitized input in the virtual desktop session name management, which could allow a remote authenticated user to execute arbitrary commands as root on the virtual desktop host. This exploitation occurs when a session is stopped and resumed, as the session name is processed in a way that can execute embedded malicious commands on the associated EC2 instance.

Impact

Exploitation of this vulnerability allows for cross-user remote code execution on the virtual desktop host, with the executed commands running with root privileges.

Reproduction

To reproduce this vulnerability, create a virtual desktop session in AWS RES versions 2025.03 through 2025.12.01. Enter a crafted session name that includes malicious commands. When the session is stopped and resumed, the embedded commands will be executed on the EC2 instance hosting the virtual desktop, with root privileges.

Remediation

Users are advised to upgrade to AWS RES version 2026.03 or apply the corresponding mitigation patch to their existing environment. Instructions for applying the patch are available on the AWS RES GitHub repository.