[Research] Full-chain RCE in Microsoft Semantic Kernel & Agent Framework 1.0 (6 Bypasses)

Summary: I’m disclosing a full-chain CVSS 10.0 RCE affecting Microsoft Semantic Kernel (.NET v1.74) and the new Agent Framework 1.0. The Timeline & Conflict: > * March 24: Initial disclosure sent to MSRC with PoC. April 8: MSRC closed the case as “Developer Error / Configuration Issue.” The Reality: Despite the rejection, Microsoft silently merged mitigations in PRs #13683 and #13702 without assigning a CVE. This results in a “False Green” for enterprise SCA tools (Snyk/Checkmarx/Dependabot) while the bypasses remain functional. Technical Scope: Architectural Trust Gap (CWE-1039): Auto-invocation logic treats non-deterministic LLM output as a high-privilege system coordinator without a sandbox boundary. 6 Day-Zero Bypasses: Discovery of Type Confusion and Unicode homoglyphs that defeat the “hardened” baseline in the April 2026 releases. Versioning: Persistence confirmed from .NET v1.7x through the Agent Framework 1.0 re-baseline. Full paper, .cast exploit recordings, and a production-ready C# remediation filter are available at the link. submitted by /u/JDP-SEC [link] [comments]Technical Information Security Content & DiscussionRead More