Julianallenderussek

Name of the Vulnerable Software and Affected Versions AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01 Description A flaw exists in the virtual desktop session name handling within AWS Research and Engineering Studio (RES). An unsanitized input in an OS command could allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host through a crafted session name. Recommendations Upgrade to RES version 2026.03 or apply the corresponding mitigation patch.

Name of the Vulnerable Software and Affected Versions AWS Research and Engineering Studio (RES) versions prior to 2026.03 Description An issue exists in the session creation component of AWS Research and Engineering Studio (RES) where unsanitized control of user-modifiable attributes could allow an authenticated remote user to escalate privileges. Successful exploitation could allow an attacker to assume the virtual desktop host instance profile permissions and interact with AWS resources and services via a crafted API request. Recommendations Upgrade to RES version 2026.03 or apply the corresponding mitigation patch.

Name of the Vulnerable Software and Affected Versions AWS Research and Engineering Studio (RES) versions 2024.10 through 2025.12.01 Description Improper input validation in the FileBrowser API within AWS Research and Engineering Studio (RES) could allow a remote authenticated attacker to execute arbitrary commands on the cluster-manager EC2 instance. This is possible through crafted input when utilizing the FileBrowser functionality. Recommendations Upgrade to RES version 2026.03 or apply the corresponding mitigation patch.