Cybersecurity researchers have revealed a newly patched vulnerability within the Amazon EC2 Simple Systems Manager (SSM) Agent, which could have allowed attackers to realize privilege escalation and execute arbitrary code. The flaw, disclosed by Cymulate, has raised significant concerns within the cybersecurity community due to its potential impact on system security.
The vulnerability was identified as a path traversal flaw that arises from improper validation of plugin IDs utilized by the SSM Agent. According to Cymulate’s report, this vulnerability could allow an attacker to create directories in secure locations on the file system, use root privileges to execute scripts, and perform malicious activities that pose a significant risk to AWS environments. The underlying issue was traced back to a function named “ValidatePluginId” within the plugin utility code, which fails to adequately sanitize input.
Elad Beber, a security researcher involved in the discovery, noted that attackers could exploit this flaw by supplying specially crafted plugin IDs containing path traversal sequences, essentially paving the way for unauthorized access and control over EC2 instances. As a result, executing commands or scripts on the filesystem could lead to severe security breaches.
Following responsible disclosure of the vulnerability on February 12, 2025, Amazon quickly addressed the issue, releasing a patch with Amazon SSM Agent version 3.3.1957.0 on March 5, 2025. The fix includes enhancements such as implementing the BuildSafePath method to prevent similar vulnerabilities in the future. AWS administrators are urged to update their SSM Agents to mitigate this critical threat and ensure the integrity of their systems.
For more information on this vulnerability and the patch details, please refer to the report by Cymulate here.