Attack Chain

1. Attacker identifies an AI agent using a vulnerable framework like Semantic Kernel.
2. The agent has a search plugin backed by an In-Memory Vector Store.
3. The attacker injects malicious code into a prompt, exploiting a prompt injection vulnerability.
4. The AI model parses the injected prompt and passes the malicious payload to the search plugin.
5. The search plugin’s filter function, which uses unsafe string interpolation, incorporates the malicious code into an eval() statement.
6. The eval() statement executes the injected code, achieving arbitrary code execution on the host.
7. The attacker gains control of the system running the AI agent.
8. The attacker can perform malicious actions such as data exfiltration, lateral movement, or deploying ransomware.

Impact

Successful exploitation of these vulnerabilities could lead to unauthorized code execution on systems running AI agents. This can result in data breaches, system compromise, and further malicious activities. Vulnerable Semantic Kernel frameworks are used in various applications. Exploitation could lead to complete system takeover, depending on the privileges of the account running the AI agent.

Recommendation

• Apply patches for CVE-2026-26030 and CVE-2026-25592 in Semantic Kernel to prevent unsafe string interpolation.
• Deploy the Sigma rule “Detect CVE-2026-26030 Exploitation Attempt via Malicious Prompt” to identify potential exploitation attempts in web server logs.
• Review and sanitize all inputs to AI agent plugins to prevent prompt injection attacks as described in the overview section.
• Monitor process creation events for suspicious processes spawned from the AI agent’s process, leveraging the “Detect Suspicious Process Execution from AI Agent” Sigma rule.