AI Threat Alert
Patch now if you're running Semantic Kernel agents with SessionsPythonPlugin — this is a CVSS 9.9 arbitrary file write reachable by any authenticated user over the network with zero user interaction. The scope change (S:C) in the CVSS vector means successful exploitation can break container isolation, turning a compromised plugin into full host access. If immediate patching to 1.71.0 (.NET) / 1.39.3 (Python) is not possible, implement a Function Invocation Filter to allowlist valid file paths as the vendor-recommended workaround.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| semantic-kernel | pip | < 1.39.3 | 1.39.3 |
| Microsoft.SemanticKernel.Core | nuget | < 1.71.0 | 1.71.0 |
Severity & Risk
Recommended Action
- 1) PATCH: Upgrade Microsoft.SemanticKernel.Core to 1.71.0+ (NuGet) and semantic-kernel to 1.39.3+ (pip) immediately — no exceptions for production systems. 2) WORKAROUND: If patching is delayed, implement a Function Invocation Filter that validates localFilePath against an explicit allowlist before any DownloadFileAsync or UploadFileAsync invocation — this is the vendor-documented compensating control. 3) DETECT: Alert on file writes outside designated agent working directories; monitor for unexpected modifications to /etc/, ~/.ssh/, cron directories, or application config paths from the Semantic Kernel process user. 4) AUDIT: Enumerate all usages of SessionsPythonPlugin in your codebase and CI/CD pipelines; verify dependency versions across all environments. 5) HARDEN: Run Semantic Kernel processes under a least-privilege OS user and within a restricted filesystem namespace — read-only container mounts where possible, seccomp profiles restricting filesystem syscalls.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.
Exploitation Scenario
An adversary with low-privilege access to a Semantic Kernel-backed AI coding assistant — a trial user, a compromised internal account, or an attacker who has obtained a valid API token — sends a crafted agent invocation calling DownloadFileAsync with localFilePath set to '../../.ssh/authorized_keys' and attacker-controlled content as the file payload. The unpatched SessionsPythonPlugin writes the attacker's SSH public key to the host's authorized_keys file, granting persistent SSH access to the underlying infrastructure. In a cloud-hosted multi-tenant scenario, this single request escalates to full control of the agent execution environment and potential lateral movement to other tenant workloads. No UI interaction from a victim is required at any stage.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H References
- github.com/advisories/GHSA-2ww3-72rp-wpp4
- github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs
- github.com/microsoft/semantic-kernel/pull/13478/changes
- github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
- nvd.nist.gov/vuln/detail/CVE-2026-25592
- github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs
- github.com/microsoft/semantic-kernel/pull/13478/changes
- github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4