{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/semantic-kernel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:microsoft:semantic_kernel:*:*:*:*:*:python:*:*"],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-26030"},{"cvss":9.9,"id":"CVE-2026-25592"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Semantic Kernel"],"_cs_severities":["critical"],"_cs_tags":["ai","prompt-injection","rce","semantic-kernel"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAI agents, enhanced with plugins in frameworks like Semantic Kernel, now actively operate on networks, creating execution risks beyond content issues. This research highlights vulnerabilities (CVE-2026-26030, CVE-2026-25592) in Microsoft\u0026rsquo;s Semantic Kernel, which could turn prompt injection into remote code execution (RCE). A single, crafted prompt can trigger unauthorized code execution, like launching calc.exe, on the host system without traditional exploits. The AI model correctly parses language into tool schemas; however, the framework\u0026rsquo;s trust in this parsed data creates vulnerabilities. This post details the identified vulnerabilities in Semantic Kernel, mitigation steps, and ways to assess potential exposure and investigate possible exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an AI agent using a vulnerable framework like Semantic Kernel.\u003c/li\u003e\n\u003cli\u003eThe agent has a search plugin backed by an In-Memory Vector Store.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a prompt, exploiting a prompt injection vulnerability.\u003c/li\u003e\n\u003cli\u003eThe AI model parses the injected prompt and passes the malicious payload to the search plugin.\u003c/li\u003e\n\u003cli\u003eThe search plugin\u0026rsquo;s filter function, which uses unsafe string interpolation, incorporates the malicious code into an \u003ccode\u003eeval()\u003c/code\u003e statement.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval()\u003c/code\u003e statement executes the injected code, achieving arbitrary code execution on the host.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system running the AI agent.\u003c/li\u003e\n\u003cli\u003eThe attacker can perform malicious actions such as data exfiltration, lateral movement, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to unauthorized code execution on systems running AI agents. This can result in data breaches, system compromise, and further malicious activities. Vulnerable Semantic Kernel frameworks are used in various applications. Exploitation could lead to complete system takeover, depending on the privileges of the account running the AI agent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches for CVE-2026-26030 and CVE-2026-25592 in Semantic Kernel to prevent unsafe string interpolation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-26030 Exploitation Attempt via Malicious Prompt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview and sanitize all inputs to AI agent plugins to prevent prompt injection attacks as described in the overview section.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes spawned from the AI agent\u0026rsquo;s process, leveraging the \u0026ldquo;Detect Suspicious Process Execution from AI Agent\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T20:22:39Z","date_published":"2026-05-07T20:22:39Z","id":"/briefs/2026-05-ai-agent-rce/","summary":"AI agents using frameworks like Microsoft's Semantic Kernel are vulnerable to remote code execution (RCE) via prompt injection by manipulating plugin parameters due to unsafe data handling.","title":"AI Agent Frameworks Vulnerable to RCE via Prompt Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-ai-agent-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Semantic-Kernel","version":"https://jsonfeed.org/version/1.1"}