BenZamir/CVE-2026-7791

# CVE-2026-7791 PoC: Privileged by Default Research proof-of-concept for **local privilege escalation in Amazon WorkSpaces** (TOCTOU + SYSTEM-level arbitrary file write in the Skylight Workspace Config Service). Full technical details: [Cymulate blog](https://cymulate.com/blog/cve-2026-7791-amazon-workspaces-local-privilege-escalation/) | | | |---|---| | CVE | [CVE-2026-7791](https://nvd.nist.gov/vuln/detail/CVE-2026-7791) | | Vendor | [AWS Security Bulletin 2026-025-AWS](https://aws.amazon.com/security/security-bulletins/) | | Patched in | Skylight **2.6.2034.0** | | Author | Ben Zamir, [Cymulate](https://cymulate.com) Research Labs | ## License **MIT** ## What this PoC does Low-privileged WorkSpaces user can abuse the **Skylight Workspace Config Service** (running as **SYSTEM**) during scheduled log rotation: permissive ACLs under `C:\ProgramData\Amazon`, a **ROTATE** directory junction, no file-type checks, and a **~1–10 ms TOCTOU** between the first File Move and enumeration of archived files. ## Quick start **Lab only.** Vulnerable Skylight (before **2.6.2034.0**), standard user, payload beside the executable. 1. Compile the code 2. Execute: poc.exe AutoPilot.dll "C:\Program Files\Amazon\cfn-bootstrap" poc.exe [target path] Keep the process running until rotation occurs. ## Responsible use Authorized security research and defensive testing on systems you own or are permitted to assess. ## See also - [AWS Security Bulletin 2026-025-AWS](https://aws.amazon.com/security/security-bulletins/)

标签：客户端加密