CVE-2025-0500

An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2025-001/
https://docs.aws.amazon.com/appstream2/latest/developerguide/client-release-versions.html
https://docs.aws.amazon.com/dcv/latest/adminguide/doc-history-release-notes.html#dcv-2023-1-16388jul
https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-linux-client.html#linux-release-notes
https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-osx-client.html#osx-release-notes
https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-windows-client.html#windows-release-notes

Configurations

No configuration.

History

No history.

Information

Published : 2025-01-15 19:15

Updated : 2025-10-14 19:15

NVD link : CVE-2025-0500

Mitre link : CVE-2025-0500

CVE.ORG link : CVE-2025-0500

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2025-0500", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-01-15T19:15:27.003", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-001/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://docs.aws.amazon.com/appstream2/latest/developerguide/client-release-versions.html", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://docs.aws.amazon.com/dcv/latest/adminguide/doc-history-release-notes.html#dcv-2023-1-16388jul", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-linux-client.html#linux-release-notes", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-osx-client.html#osx-release-notes", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-windows-client.html#windows-release-notes", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle."}, {"lang": "es", "value": " Un problema en los clientes nativos de Amazon WorkSpaces, Amazon AppStream 2.0 y Amazon DCV Clients puede permitir que un atacante acceda a sesiones remotas a trav\u00e9s de un man-in-the-middle."}], "lastModified": "2025-10-14T19:15:37.370", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}