CERT/CC — MS-Agent shell tool command injection (CVE-2026-2256)
AI relevance: MS-Agent is an agent framework with a shell-execution tool; prompt injection that reaches the shell layer turns an AI workflow into a direct RCE path.
- CVE-2026-2256 is a command injection flaw in ModelScope’s MS-Agent framework.
- The issue sits in the Shell tool, which runs OS commands to complete agent actions.
- Input derived from prompts or external content is not sufficiently sanitized before execution.
- A regex denylist in
check_safe()can be bypassed with obfuscation or alternative syntax. - Attackers can plant malicious instructions in documents, code, or web pages that agents process.
- Successful exploitation yields arbitrary command execution with the agent’s privileges.
- CERT/CC reports no vendor patch or statement as of disclosure.
Security impact
A shell tool vulnerability inside a Microsoft agent ecosystem is critical because it collapses the boundary between “assistive automation” and “arbitrary command execution.” Once the shell tool is exploitable, a malicious prompt can do more than trick the model — it can execute on the host. This erodes any safety controls that depend on the agent staying within a narrow tool set.
In enterprise deployments, agent shells often run with privileged access to internal services or CI infrastructure. That means a single exploit can lead to credential theft, lateral movement, or tampering with build pipelines. Because shell tools often log output but not intent, detecting malicious use is difficult without explicit policy enforcement.
Mitigation strategy
Patch immediately and restrict shell tools to least-privileged contexts. Use allowlisted commands, run in hardened containers, and isolate the shell from sensitive secrets. Add audit logging on tool invocations, including the originating prompt or request ID, to enable forensics if abuse occurs.
Why it matters
- Agent runtimes that expose shell tools are high-leverage targets; prompt injection becomes a direct system compromise.
- Denylist filters are brittle and do not scale against adversarial prompt payloads.
- MS-Agent-style patterns show up across AI ops stacks, so the lessons generalize to tool-enabled agents.
What to do
- Sandbox agent runtimes and isolate shell execution from sensitive networks and data.
- Disable or gate shell tools unless absolutely required for a workflow.
- Replace denylists with allowlists of approved commands and arguments.
- Validate external inputs (docs, repos, URLs) before agents process them.
- Monitor for unexpected shell invocations and anomalous command patterns.