CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Issues with AWS Research and Engineering Studio (RES)

unknownCVE-2026-5707CVE-2026-5708CVE-2026-5709
Bulletin ID: 2026-014-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/06 14:00 PM PDT Description: Research and Engineering Studio (RES) on AWS is an open source, web portal design for administrators to create and manage secure cloud-based research and engineering environments. We have identified the following issues with the AWS Research and Engineering Studio (RES). CVE-2026-5707: Unsanitized input in an OS Command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. CVE-2026-5708: Improper control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) before version 2026.03 might allow an authenticated remote user to escalate privileges and assume the Virtual Desktop Host instance profile permissions and interact with other AWS resources and services via a crafted API request. CVE-2026-5709: Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. Impacted versions: <= 2025.12.01 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
Unsanitized input in OS command handling may allow a remote authenticated actor to execute arbitrary commands as root.
Who is affected
Remote authenticated users of AWS Research and Engineering Studio versions 2025.03 through 2025.12.01.
Urgency
Remediation is critical due to the potential for remote command execution.
Action
Update to a version of AWS Research and Engineering Studio that addresses these issues.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Research and Engineering Studio

Get an email when a new Research and Engineering Studio advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-014-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-5707coverage & exploitation statusNVD · CVE.org
CVE-2026-5708coverage & exploitation statusNVD · CVE.org
CVE-2026-5709coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins