Microsoft Semantic Kernel is an SDK designed to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to version 1.71.0, the SDK's SessionsPythonPlugin contained a critical vulnerability classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory, commonly known as a path traversal flaw. This vulnerability allows an attacker with limited privileges to manipulate file path parameters passed to the DownloadFileAsync and UploadFileAsync functions, enabling arbitrary file write operations outside the intended directories. Such arbitrary file writes can lead to complete compromise of the host system by overwriting critical files, injecting malicious code, or disrupting system operations. The vulnerability has a CVSS 3.1 base score of 10.0, reflecting its critical impact on confidentiality, integrity, and availability, with an attack vector that is network-based, low complexity, requiring privileges but no user interaction, and with scope change. Microsoft addressed this issue in Semantic Kernel version 1.71.0. As an interim mitigation, users can implement a Function Invocation Filter to validate and allowlist localFilePath arguments to prevent unauthorized file system access. The vulnerability is particularly concerning given the increasing adoption of Semantic Kernel in AI development environments, where compromised agents could lead to broader systemic risks.

The impact of CVE-2026-25592 is severe for organizations deploying Microsoft Semantic Kernel SDK versions prior to 1.71.0. Successful exploitation allows attackers to write arbitrary files on the host system, potentially leading to full system compromise, data breaches, or service disruption. This threatens the confidentiality of sensitive data, the integrity of system and application files, and the availability of AI agent services. Given the SDK’s role in orchestrating AI agents, compromised systems could be leveraged to manipulate AI workflows, inject malicious payloads, or pivot to other network assets. Organizations relying on Semantic Kernel for critical AI operations or multi-agent orchestration face heightened risks of operational disruption and reputational damage. The vulnerability’s network accessibility and low exploitation complexity increase the likelihood of targeted attacks, especially in environments where attackers have some level of access or privileges. Although no exploits are currently known in the wild, the critical severity and broad impact necessitate urgent remediation.

To mitigate CVE-2026-25592, organizations should immediately upgrade Microsoft Semantic Kernel SDK to version 1.71.0 or later, where the vulnerability is patched. Until upgrading is feasible, implement a Function Invocation Filter that rigorously validates and allowlists the localFilePath arguments passed to DownloadFileAsync and UploadFileAsync methods to prevent path traversal attempts. Restrict permissions on directories accessible by the SDK to minimize the impact of potential exploitation. Employ runtime monitoring and file integrity checks to detect unauthorized file modifications. Limit privileges of accounts running Semantic Kernel agents to the minimum necessary to reduce attack surface. Conduct thorough code reviews and security testing on AI agent workflows that utilize file operations. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises. Additionally, monitor threat intelligence sources for any emerging exploit activity targeting this vulnerability.