CVE-2026-25592
Published: 06 February 2026
Summary
CVE-2026-25592 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the flaw by updating to Microsoft.SemanticKernel.Core version 1.71.0 directly eliminates the arbitrary file write vulnerability in the SessionsPythonPlugin.
Implementing input validation mechanisms to allowlist localFilePath arguments for DownloadFileAsync and UploadFileAsync calls directly prevents exploitation of the arbitrary file write vulnerability.
Enforcing least privilege on processes using the Semantic Kernel SDK restricts the locations and impact of potential arbitrary file writes by low-privileged attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write (path traversal) in network-reachable SDK component directly enables remote exploitation of public-facing apps (T1190) and remote placement of attacker-controlled files/payloads (T1105).
NVD Description
Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has…
more
been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.
Deeper analysisAI
CVE-2026-25592 is an arbitrary file write vulnerability (CWE-22) in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. The issue affects versions prior to 1.71.0 of Microsoft.SemanticKernel.Core and was published on 2026-02-06 with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A low-privileged remote attacker (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). The scope is changed (S:C), enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation allows arbitrary file writes, potentially leading to full system compromise.
The vulnerability has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users should create a Function Invocation Filter to validate arguments passed to DownloadFileAsync or UploadFileAsync calls, ensuring the localFilePath is allowlisted. Additional details are available in the GitHub security advisory (GHSA-2ww3-72rp-wpp4) and related pull request.
This vulnerability is particularly relevant in AI/ML contexts, as it affects an SDK for AI agent orchestration, potentially exposing deployments of multi-agent systems to file system manipulation by compromised plugins. No public information on real-world exploitation is available.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai