Critical · CVSS 9.9 May 7, 2026 · Microsoft Defender Security Research

Semantic Kernel Prompt-to-RCE

When Agent Tooling Turns Language into Shell Access

Microsoft Defender Security Research published a case study showing how two vulnerabilities in Microsoft Semantic Kernel convert prompt injection from a content-integrity problem into a host-level execution risk. Both CVEs were responsibly disclosed and fixed before publication. The central lesson: the model is not the vulnerable component — the risk emerges when agent frameworks treat language-derived parameters as trusted input to system-level operations.

2 CVEs

9.9 Max CVSS

RCE Impact

Patched Status

"Once an AI model is wired to tools, prompt injection creates a thin line between being just a content security problem and becoming a code execution primitive."

— Microsoft Security Blog

Members only

Full technical analysis, attack chain, IOCs, and the defensive checklist are available to registered members — free to join.

Primary source: Microsoft Defender Security Research, Microsoft Security Blog, May 7, 2026. This advisory is an independent defensive guide produced by Spectreworks AI and is not affiliated with Microsoft.