Cyber Resilience

CVE-2026-25592

Critical

Published: 06 February 2026

Published
06 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0195 77.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25592 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25592 is an arbitrary file write vulnerability (CWE-22) in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. The issue affects versions prior to 1.71.0 of Microsoft.SemanticKernel.Core and was published on 2026-02-06 with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A low-privileged remote attacker (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). The scope is changed (S:C), enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation allows arbitrary file writes, potentially leading to full system compromise.

The vulnerability has been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users should create a Function Invocation Filter to validate arguments passed to DownloadFileAsync or UploadFileAsync calls, ensuring the localFilePath is allowlisted. Additional details are available in the GitHub security advisory (GHSA-2ww3-72rp-wpp4) and related pull request.

This vulnerability is particularly relevant in AI/ML contexts, as it affects an SDK for AI agent orchestration, potentially exposing deployments of multi-agent systems to file system manipulation by compromised plugins. No public information on real-world exploitation is available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has…

more

been fixed in Microsoft.SemanticKernel.Core version 1.71.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, semantic kernel

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Arbitrary file write (path traversal) in network-reachable SDK component directly enables remote exploitation of public-facing apps (T1190) and remote placement of attacker-controlled files/payloads (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7216Shared CWE-22
CVE-2026-7811Shared CWE-22
CVE-2026-40576Shared CWE-22
CVE-2026-7237Shared CWE-22
CVE-2026-27969Shared CWE-22
CVE-2026-7398Shared CWE-22
CVE-2026-32055Shared CWE-22
CVE-2026-21878Shared CWE-22
CVE-2026-39308Shared CWE-22
CVE-2026-6957Shared CWE-22

Affected Assets

Microsoft.SemanticKernel.Core
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the flaw by updating to Microsoft.SemanticKernel.Core version 1.71.0 directly eliminates the arbitrary file write vulnerability in the SessionsPythonPlugin.

prevent

Implementing input validation mechanisms to allowlist localFilePath arguments for DownloadFileAsync and UploadFileAsync calls directly prevents exploitation of the arbitrary file write vulnerability.

prevent

Enforcing least privilege on processes using the Semantic Kernel SDK restricts the locations and impact of potential arbitrary file writes by low-privileged attackers.

References