CVE-2025-12815 - RES web portal may display preview of Virtual Desktops that the user shouldn't have access to
Bulletin ID: AWS-2025-026 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/11/6 09:15 AM PDT Description: Research and Engineering Studio on AWS (RES) is an open source, easy-to-use web-based portal for administrators to create and manage secure cloud-based research and engineering environments. We identified CVE-2025-12815, in which an ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another user's active desktop session metadata, including periodical desktop preview screenshots. Impacted versions: < 2025.09
CSIRTS triage
- What
- An ownership verification issue may allow unauthorized access to desktop session metadata.
- Who is affected
- Authenticated users of RES before version 2025.09.
- Urgency
- Remediation is important to protect user privacy.
- Action
- Update to version 2025.09 or later.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Research and Engineering Studio (RES)
Get an email when a new Research and Engineering Studio (RES) advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-026/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2025-128150.28% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 20% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2025-12815 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for - RES web
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-11901: The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data A…nvd · 2026-07-11
- criticalCVE-2026-14480: OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy …nvd · 2026-07-10
- unknownCVE-2026-58591: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-58588: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-58587: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-58503: Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumerat…nvd · 2026-07-10
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01