惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
博客园 - 聂微东
小众软件
小众软件
P
Proofpoint News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
TaoSecurity Blog
TaoSecurity Blog
博客园 - 司徒正美
罗磊的独立博客
N
News and Events Feed by Topic
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
S
Security @ Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The GitHub Blog
The GitHub Blog
月光博客
月光博客
S
Secure Thoughts
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
W
WeLiveSecurity
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
L
LangChain Blog
T
The Blog of Author Tim Ferriss
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
Cloudbric
Cloudbric
H
Hacker News: Front Page
The Last Watchdog
The Last Watchdog
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Schneier on Security
Project Zero
Project Zero
SecWiki News
SecWiki News
爱范儿
爱范儿
The Register - Security
The Register - Security
AI
AI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Y
Y Combinator Blog
L
Lohrmann on Cybersecurity
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Privacy International News Feed
J
Java Code Geeks
S
Securelist
C
Cyber Attacks, Cyber Crime and Cyber Security
V
Visual Studio Blog

CERT Recently Published Vulnerability Notes

CERT/CC Vulnerability Note VU#326070 CERT/CC Vulnerability Note VU#529388 CERT/CC Vulnerability Note VU#725167 VU#564823: GNU Wget enables SSRF via unvalidated FTP PASV IPs CERT/CC Vulnerability Note VU#152953 CERT/CC Vulnerability Note VU#734812 CERT/CC Vulnerability Note VU#849433 CERT/CC Vulnerability Note VU#213560 CERT/CC Vulnerability Note VU#828543 CERT/CC Vulnerability Note VU#639124 CERT/CC Vulnerability Note VU#936962 CERT/CC Vulnerability Note VU#226679 CERT/CC Vulnerability Note VU#457458 CERT/CC Vulnerability Note VU#380058 CERT/CC Vulnerability Note VU#862559 CERT/CC Vulnerability Note VU#616257 CERT/CC Vulnerability Note VU#595768 CERT/CC Vulnerability Note VU#615987 CERT/CC Vulnerability Note VU#265691 CERT/CC Vulnerability Note VU#873170 CERT/CC Vulnerability Note VU#158530 CERT/CC Vulnerability Note VU#780781 CERT/CC Vulnerability Note VU#980487 CERT/CC Vulnerability Note VU#777338 CERT/CC Vulnerability Note VU#471747 CERT/CC Vulnerability Note VU#937808 CERT/CC Vulnerability Note VU#260001 CERT/CC Vulnerability Note VU#748485 CERT/CC Vulnerability Note VU#518910 CERT/CC Vulnerability Note VU#890999 CERT/CC Vulnerability Note VU#414811 CERT/CC Vulnerability Note VU#915947 CERT/CC Vulnerability Note VU#536588 CERT/CC Vulnerability Note VU#951662 CERT/CC Vulnerability Note VU#655822 CERT/CC Vulnerability Note VU#221883 CERT/CC Vulnerability Note VU#330121 CERT/CC Vulnerability Note VU#577436 CERT/CC Vulnerability Note VU#624941 CERT/CC Vulnerability Note VU#907705 CERT/CC Vulnerability Note VU#665416 CERT/CC Vulnerability Note VU#976247 CERT/CC Vulnerability Note VU#772695 CERT/CC Vulnerability Note VU#504749 CERT/CC Vulnerability Note VU#458422 CERT/CC Vulnerability Note VU#481830
CERT/CC Vulnerability Note VU#431821
2026-03-02 · via CERT Recently Published Vulnerability Notes

Overview

A command injection vulnerability was identified in the MS-Agent framework that can be triggered through unsanitized prompt-derived input. An attacker can craft untrusted input introduced via a chat prompt or other external content sources, resulting in arbitrary command execution on the target system(s) where the MS-Agent framework is deployed. No patch or vendor statement was obtained during the coordination process.

Description

MS-Agent is a lightweight framework that enables agents to perform autonomous task execution and tool invocation. The MS-Agent framework includes several features, including a Shell tool that enables execution of commands on the target operating system to complete agentic actions.

A vulnerability has been identified that allows unsanitized input to be executed through the Shell tool. This occurs because the software does not sufficiently verify and sanitize content before execution. As a result, an attacker can leverage prompt injection techniques to influence the agent into executing unintended shell commands when interacting with attacker-controlled content.

The Shell tool relies on regular expression–based filtering in the check_safe() method, which is intended to restrict unsafe commands. The implemented default denylist can be bypassed, allowing crafted input to evade validation checks and reach the shell execution layer.

The vulnerability is tracked as:

CVE-2026-2256
Command injection vulnerability in ModelScope's ms-agent allows an attacker to execute arbitrary operating system commands through crafted prompt-derived input.

This vulnerability may be exploited when the agent is instructed to process or retrieve external content, such as analyzing code, summarizing documents, or performing other tasks that involve interacting with attacker-controlled data. If the retrieved or processed content contains malicious command sequences that bypass the check_safe() validation, the agent may forward those commands to the Shell tool for execution.

The use of a regular expression denylist in the check_safe() method is insufficient to prevent command injection. Denylist-based filtering is inherently fragile and can often be bypassed through encoding, command obfuscation, or alternative shell syntax. In this case, the filtering logic can be circumvented, enabling arbitrary command execution within the execution context of the agent process.

Impact

An attacker who successfully exploits this vulnerability may execute arbitrary operating system commands on the target with the privileges of the MS-Agent process. This may allow modification of system files, lateral movement within the environment, establishment of persistence mechanisms, or exfiltration of sensitive data accessible to the agent.

Solution

No statement was provided by the vendor during coordination efforts. Users should deploy MS-Agent only in environments where ingested content is trusted, validated, or sanitized. Agents with shell execution capabilities should be sandboxed or executed with least-privilege permissions. Additional mitigation strategies include replacing denylist-based filtering with strict allowlists and implementing stronger isolation boundaries for tool execution.

Acknowledgements

Thanks to the reporter, Itamar Yochpaz, for this report. Document written by Christopher Cullen.

Vendor Information

431821


Other Information

CVE IDs: CVE-2026-2256
API URL: VINCE JSON | CSAF
Date Public: 2026-03-02
Date First Published: 2026-03-02
Date Last Updated: 2026-03-02 20:09 UTC
Document Revision: 1