CVE-2026-25592 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal) affecting Microsoft’s Semantic Kernel .NET SDK versions earlier than 1.70.0. Semantic Kernel is a software development kit designed to build, orchestrate, and deploy AI agents and multi-agent systems. The vulnerability resides specifically in the SessionsPythonPlugin component, where the methods DownloadFileAsync and UploadFileAsync improperly validate the localFilePath argument. An attacker with limited privileges (PR:L) can exploit this flaw remotely (AV:N) without user interaction (UI:N) to write arbitrary files to the file system outside the intended directories. This can lead to complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) of the host system, as malicious files could overwrite critical system or application files, inject malicious code, or disrupt operations. The vulnerability’s scope is changed (S:C), meaning it can affect resources beyond the initially vulnerable component. Microsoft addressed this issue in Semantic Kernel version 1.70.0. As an interim mitigation, users can implement a Function Invocation Filter that validates and allow-lists the localFilePath arguments passed to the vulnerable methods to prevent unauthorized file writes. No public exploits have been reported yet, but the vulnerability’s critical CVSS score of 10 underscores the urgency for remediation.

For European organizations, the impact of CVE-2026-25592 is significant, especially for those leveraging Microsoft Semantic Kernel in AI development, orchestration, or deployment environments. Exploitation could allow attackers to overwrite or create arbitrary files on critical systems, potentially leading to full system compromise, data breaches, or disruption of AI services. This could affect intellectual property, sensitive data, and operational continuity. Given the increasing adoption of AI technologies in sectors such as finance, healthcare, manufacturing, and government across Europe, the risk extends to critical infrastructure and sensitive environments. The vulnerability’s ability to be exploited remotely without user interaction increases the attack surface and urgency for patching. Additionally, the compromise of AI orchestration platforms could facilitate further attacks or manipulation of AI-driven decision-making processes, amplifying the threat impact.

1. Immediately upgrade Microsoft Semantic Kernel SDK to version 1.70.0 or later to apply the official patch. 2. Until patching is possible, implement a strict Function Invocation Filter to validate and allow-list all localFilePath arguments passed to DownloadFileAsync and UploadFileAsync methods, ensuring paths do not escape intended directories. 3. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to monitor and block suspicious file system write operations originating from Semantic Kernel components. 4. Conduct thorough code reviews and static analysis on any custom plugins or extensions interacting with file system APIs to detect similar path traversal risks. 5. Restrict permissions of the service accounts running Semantic Kernel to the minimum necessary file system access to limit potential damage. 6. Monitor logs for unusual file write activities or errors related to file path handling. 7. Educate development and security teams about the risks of path traversal vulnerabilities and secure coding practices related to file handling.