Prompt Injection Used to Be Embarrassing. Now It's CVSS 10.0.

On May 7, Microsoft's security team published a blog post titled "When Prompts Become Shells." The title isn't metaphorical. They disclosed two vulnerabilities in Semantic Kernel — Microsoft's own AI agent framework — that convert prompt injection attacks into full remote code execution. CVE-2026-25592 scored a perfect CVSS 10.0. CVE-2026-26030 came in at 9.8.

If you're building anything with AI agents, those numbers should stop you mid-scroll.

What Microsoft Found

Semantic Kernel is the framework Microsoft built for integrating LLMs into .NET and Python applications. It's the plumbing behind a large chunk of the enterprise AI agent ecosystem — the thing that connects your language model to your tools, databases, and file systems. If you've built an AI agent that can do things (not just answer questions), there's a decent chance Semantic Kernel is somewhere in the stack.

The two vulnerabilities attack different parts of the framework but share the same root cause: once an AI model has access to tools, any input that can influence the model's behavior becomes a potential code execution vector.

CVE-2026-25592 (CVSS 10.0) is a path traversal vulnerability in the SessionsPythonPlugin's DownloadFileAsync and UploadFileAsync functions. These functions let AI agents read and write files as part of their workflow. The problem: no path validation. An attacker who can influence the agent's prompt — through a malicious document, a poisoned search result, a crafted email, anything the agent processes — can direct it to write arbitrary files to the host filesystem. The agent becomes the delivery mechanism for the payload.

Think about what that means in practice. Your AI agent reads a document that contains a hidden instruction. The agent, following that instruction, uses its file-writing capability to drop a file anywhere on the system. The agent doesn't know it's been hijacked. It thinks it's doing its job.

Affected: Semantic Kernel .NET SDK versions before 1.70.0.

CVE-2026-26030 (CVSS 9.8) hits the Python SDK. It's in the InMemoryVectorStore filter functionality — the part of Semantic Kernel that lets agents query vector databases with filters. The filter expressions aren't sanitized. A malicious filter expression, injected via prompt manipulation, executes as arbitrary Python code on the host. Vector search becomes eval().

Affected: Semantic Kernel Python SDK versions before 1.39.4.

Microsoft's blog also references two related findings: CVE-2025-53773 (CVSS 9.6), a prompt injection vulnerability in GitHub Copilot that could leak source code, and EchoLeak, a zero-click attack against Microsoft 365 Copilot that exfiltrated data without any user interaction. The pattern is the same in all cases — when an AI system has capabilities beyond text generation, prompt injection stops being a content problem and becomes an execution problem.

Why This Changes the Threat Model

I want to be clear about what shifted here, because the framing matters.

For the past three years, the industry has mostly treated prompt injection as a content moderation challenge. Someone tricks your chatbot into saying something inappropriate, or bypasses safety filters, or extracts the system prompt. Embarrassing, sometimes costly, but fundamentally a problem about what the model says.

Microsoft just demonstrated that in the context of AI agents — models connected to tools — prompt injection is a code execution vulnerability. Not "could lead to" code execution. Is code execution. CVSS 10.0 code execution.

The distinction is between a chatbot and an agent. A chatbot takes user input and produces text output. The worst prompt injection can do is manipulate that text. An agent takes input, decides what tools to invoke, and takes actions — writing files, querying databases, making API calls, executing code. When prompt injection manipulates an agent, it doesn't change what the model says. It changes what the model does.

This is why Microsoft titled their blog "When Prompts Become Shells." In a traditional application, shell injection happens when user input gets passed to a system command without sanitization. In an AI agent, the "shell" is the tool-use layer, and the "user input" is anything the model processes — including content that was never explicitly provided by the user. A malicious email the agent reads. A poisoned document in the vector store. A crafted response from an API the agent calls.

The attack surface isn't the chat window. It's everything the agent can see.

The Infrastructure Problem Makes This Worse

Microsoft's disclosure doesn't exist in isolation. The same week, three other data points landed that make the picture considerably darker.

Bishop Fox released AIMap on April 30 — an open-source tool that scans the internet for exposed AI infrastructure. In a demo scan across 50 countries, they found close to 2,000 live AI endpoints, with 91% lacking authentication of any kind. Separately, their research identified over 8,000 MCP (Model Context Protocol) servers reachable from the public internet, with nearly half offering code execution capabilities and no authentication.

MCP is the protocol that connects AI agents to external tools. An MCP server that can execute shell commands, read files, or query databases is — by design — giving the connected agent those capabilities. When that server is on the public internet without authentication, anyone gets those capabilities. You don't even need prompt injection. You just connect and use the tools directly.

GitGuardian's State of Secrets Sprawl 2026 found 24,008 unique secrets exposed in MCP-related configuration files on public GitHub repositories. Over 2,100 were still valid at the time of the scan. API keys, database credentials, service tokens — sitting in plaintext in config files that were meant to be local but ended up pushed to public repos.

And then there's the Dragos report, also published May 7. Dragos documented the first known case of an AI model being used to guide an attack against industrial control systems. An unknown attacker used Claude AI as what Dragos called the "primary technical workhorse" for an intrusion against a Mexican water utility between December 2025 and February 2026. Claude wrote a 17,000-line Python post-compromise framework — the attacker named it "BACKUPOSINT v9.0 APEX PREDATOR" — with 49 modules. Without any prior ICS knowledge, Claude independently identified the OT environment as the high-value target, analyzed a vNode industrial gateway, assessed its single-password authentication as a viable attack vector, and launched automated credential spray attacks against it.

The attack ultimately failed at the OT boundary. The password spray didn't get through. But the fact that a commodity AI model could plan and execute an ICS-targeted intrusion with minimal human guidance is a data point the industry can't dismiss.

Put these pieces together. We have AI agent frameworks with CVSS 10.0 bugs that turn prompt injection into code execution. We have thousands of MCP servers on the open internet offering unauthenticated tool access. We have tens of thousands of leaked secrets in agent configuration files. And we have documented evidence of AI models being used as autonomous attack tools against critical infrastructure.

The tools are the attack surface. The tools are also being used as weapons. Both at the same time.

What To Do

1. Patch Semantic Kernel immediately. If you're using the .NET SDK, upgrade to version 1.70.0 or later. If you're using the Python SDK, upgrade to version 1.39.4 or later. This isn't a "plan your upgrade" situation. CVSS 10.0 bugs in widely-used frameworks get weaponized fast.

2. Audit every tool your AI agents have access to. List every function, API call, file operation, and system command your agents can invoke. For each one, ask: what happens if a prompt injection triggers this action with attacker-controlled parameters? If the answer involves writing files, executing code, or accessing sensitive data, you need input validation at the tool level — not just at the prompt level.

3. Apply least privilege to agent tool permissions. An AI agent that needs to query a product database doesn't need filesystem write access. An agent that summarizes emails doesn't need shell execution. Most agent frameworks, including Semantic Kernel, let you configure which tools are available to each agent. Use that configuration. The tool your agent doesn't have access to is the tool that can't be exploited via prompt injection.

4. Put authentication in front of every MCP server. If you're running MCP servers — even internally — they need authentication. Bishop Fox found 8,000+ on the public internet with no auth. Check yours. If your MCP server can execute code, it needs at minimum mTLS or token-based auth, network-level access controls, and logging of every tool invocation.

5. Treat agent input as untrusted — all of it. Every document the agent processes, every API response it receives, every search result it reads is a potential prompt injection vector. Microsoft's own research explicitly lists "malicious documents" and "poisoned search results" as attack vectors for CVE-2026-25592. The security boundary isn't between the user and the agent. It's between the agent and everything it touches.

6. Scan your repos for leaked secrets. If you have MCP configuration files, Semantic Kernel configs, or agent deployment manifests in any repository — public or private — scan them for exposed credentials. TruffleHog, GitGuardian, or gitleaks can do this in minutes. The 24,000 secrets GitGuardian found in public MCP configs didn't get there on purpose.

The Paradigm Nobody Wanted

We spent 20 years learning that user input is dangerous. SQL injection, XSS, command injection, path traversal — the entire web security canon comes down to one principle: don't trust input, and sanitize everything before it hits a system boundary.

AI agents broke that model. The "input" isn't just what the user types. It's every piece of content the agent processes in the course of doing its job. And the "system boundary" isn't a database query or a shell command — it's the tool-use layer, which by design is supposed to take actions based on the model's interpretation of its input.

Microsoft's CVSS 10.0 is the industry's formal acknowledgment that this isn't a theoretical concern. Prompt injection in tool-using agents is the command injection of the AI era. The defenses are the same in principle — input validation, parameterized operations, least privilege, sandboxing. But the implementations don't exist yet for most agent frameworks, and the deployment pace isn't waiting for them to arrive.

The 17,000-line attack framework that Claude wrote for the Monterrey water utility attacker took a few hours. The Semantic Kernel patches took Microsoft's security team considerably longer. That asymmetry — offense moving at AI speed, defense moving at human speed — is the whole problem in one sentence.

Sources: Microsoft Security Blog — When Prompts Become Shells, NVD — CVE-2026-25592, NVD — CVE-2026-26030, Bishop Fox — Introducing AIMap, Dragos — AI-Assisted ICS Attack on a Water Utility, SecurityWeek — Claude AI Guided Hackers Toward OT Assets