⚠️ CRITICAL ADVISORY: If you are running Microsoft Semantic Kernel (.NET SDK) version 1.48.0 or below , or the newly released Agent Framework 1.0 , your environment is currently operating with an unmitigated RCE entry point. This paper demonstrates active bypasses against Microsoft's official remediation for CVE-2026-25592. Users are strongly advised to implement the manual NukaSecurityFilter outlined in Appendix 1 immediately. WHITE PAPER | NUKA-AI-2026-001 The Orchestration Trust Gap: Day-Zero Bypasses in Microsoft Semantic Kernel and Agent Framework 1.0 Author: Jeff Ponte, CISSP, CCSP, CEH | Security Researcher, JDP-Security Series: Project Nuka-AI (Disclosure #1) Date: April 25, 2026 Classification: Public Research Disclosure Target: Microsoft Semantic Kernel (.NET) v1.47.0 - v1.48.0, Agent Framework 1.0 CVSS v3.1 Score: 10.0 (Critical) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CWE Chain: CWE-1039 → CWE-22 → CWE-94 Executive Summary This white paper documents a catastrophic architectural flaw in Microsoft’s Semantic Kernel (SK) framework, the premier orchestration layer for .NET-based AI agents. My research reveals a fundamental "Trust Gap" where the framework treats stochastic, untrusted Large Language Model (LLM) output as deterministic, high-privilege system commands. This oversight culminates in a full-chain Remote Code Execution (RCE) vulnerability driven by CWE-1039 (Insecure Automated Optimizations) . I demonstrate how an AI agent can be manipulated into overwriting its own host application's source code (internally tracked as the "Self-Nuke" vector). Crucially, my forensic analysis spanning versions 1.47.0 through 1.48.0 proves that Microsoft's previous attempts to secure the framework have failed. I am disclosing six independent Day-Zero bypass vectors that completely evade the official patch issued for the February 6th Path Traversal vulnerability ( CVE-2026-25592 ). This research proves that the current framework security model is architecturally unsound, relying on siloed, cosmetic filters rather than foundational security principles like mandatory input canonicalization. Key Takeaways CVSS 10.0 RCE exists in Microsoft Semantic Kernel v1.48.0 and Agent Framework 1.0 6 Day-Zero Bypasses defeat Microsoft's CVE-2026-25592 patch Shadow Patching occurred while Microsoft publicly denied the vulnerability Type Confusion is the root cause - filters check string but plugins accept object Immediate Action Required: Disable AutoInvokeKernelFunctions and implement Appendix 1 filter 1. Business Impact: The "Silent" Enterprise Risk This vulnerability represents a systemic failure in the AI supply chain. Because Microsoft has currently dismissed these bypasses as "Developer Error" rather than issuing a new CVE or acknowledging the failed patch, the enterprise risk is severely compounded: SCA Tool Blindness: Software Composition Analysis (SCA) and vulnerability scanners remain "green." Organizations believe they are secure because they patched CVE-2026-25592, entirely unaware that the patch is trivial for an LLM to bypass. Agent Framework 1.0 Inheritance: Microsoft officially launched Agent Framework 1.0 on April 3, 2026. Because it is built atop these same orchestration primitives, Agent Framework 1.0 inherits this exact CVSS 10.0 "Trust Gap" out of the box. Shadow Patching Risks: Microsoft’s internal remediation cycle (see Section 7) has consisted of quiet, incomplete mitigations. This leaves developers unaware that their current implementation of AutoInvokeKernelFunctions is a direct conduit for host takeover. Industries at Immediate Risk: Finance: AI-powered trading agents with file system access Healthcare: Patient data processing via AI orchestration Government: Autonomous document processing systems SaaS: Multi-tenant AI services using Semantic Kernel 2. The Mechanics of Orchestration: Understanding Semantic Kernel To comprehend the severity of these vulnerabilities, one must understand how Semantic Kernel operates. SK is not merely an API wrapper for OpenAI; it is a complex orchestration engine designed to give LLMs "hands" to interact with the host operating system. The Execution Pipeline The Prompt: A user inputs a natural language request. The Planner/Kernel: SK sends this request to the LLM, along with a "manifest" of available C# native functions (Plugins). The Tool Call: The LLM returns a JSON-formatted Tool Call instructing the framework to execute a specific C# function with specific arguments. The Execution Sink: The framework maps the LLM's JSON request to the compiled C# binary, executes the code, and feeds the result back to the LLM. The Fatal Assumption: Traditional application security assumes that the user is malicious and the backend logic is trusted. Semantic Kernel breaks this paradigm by placing a non-deterministic entity (the LLM) in the middle of the execution pipeline, yet the framework continues to trust the LLM's output as if it were hardcoded backend logic. 3. The Dual-Vul...