Unsanitized input in the handling of virtual desktop session names in AWS Research and Engineering Studio (RES) allows an attacker to inject OS commands, granting the ability to execute arbitrary commands with root privileges on the virtual desktop host. This represents a high‑severity remote code execution vulnerability that can compromise the confidentiality, integrity, and availability of the affected environment. The weakness is a classic command injection scenario, classified as CWE‑78.

The vulnerability affects AWS Research and Engineering Studio versions 2025.03 through 2025.12.01. Any deployment of these releases is susceptible unless patched or upgraded to a newer version. The affected components are the session name processing logic that interfaces directly with system shell commands.

The Common Vulnerability Scoring System gives this flaw a CVSS score of 8.7, indicating high severity. The Exploit Prediction Scoring System indicates the probability of exploitation is below 1 %, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires remote authenticated access to the RES platform, meaning an attacker must have legitimate credentials or privilege escalation, but once authenticated, the exploitation path is straightforward—crafting a malicious session name that injects commands via the OS shell. No publicly known exploits are currently documented, but the lack of input validation makes it a viable target for malicious actors.