HarborGuard / CVE
Back to search
HIGHCVE-2026-45322Published Modified CNA GitHub_M

CVE-2026-45322: OS Command Injection in Microsoft UFO Shell Action Replay via Stored Session JSON

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker's command as the UFO process user.

HarborGuard Analysis

HarborGuard analysis

Synopsis

OS command injection in Microsoft UFO (an open-source intelligent automation framework) allows any attacker with write access to a session or action JSON file on the host to execute arbitrary operating system commands. The vulnerability is reached locally; a low-privileged account is sufficient, and no victim interaction is needed. When a poisoned session is resumed or replayed, UFO passes the planted command directly to PowerShell via subprocess.Popen with shell=True, giving the attacker full code execution as the UFO process user. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images running any version of Microsoft UFO up to and including v3.0.0, covering both third-party base images and custom-built images that bundle the framework.

Available
Triage

HarborGuard scores this finding at CVSS 7.8 HIGH (v3.1) and weights it against each environment's compliance policy to determine urgency and routing, directing alerts to the team or inbox responsible for the affected workload within the customer org.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Microsoft releases a remediated version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required.

  • AuthenticationRequired

    Any low-privilege OS account with write access to the session or action JSON files is sufficient; no administrative privileges are needed.

  • Victim interactionNot required

    No user action is required; exploitation occurs automatically when UFO resumes or replays the poisoned session.

  • Attack complexityDetail

    The exploit is reliable and condition-free: writing a crafted command string into a JSON file and waiting for session replay requires no race conditions or special environmental setup.

Blast Radius

  • Reads any files and secrets accessible to the UFO process user, including stored session tokens, credentials, and configuration data on the host.
  • Modifies or deletes files owned by the UFO process user, including session records, automation scripts, and application data.
  • Executes arbitrary PowerShell commands as the UFO process user, enabling lateral movement, persistence mechanisms, or further privilege escalation on the host.
  • Crashes or disrupts the UFO automation service by terminating processes or corrupting state files the service depends on.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-45322 is active across all customer environments, flagging any image that bundles Microsoft UFO v3.0.0 or earlier. Because no upstream patch exists at this time, the recommended compensating controls are: restrict write permissions on UFO session and action JSON directories to the minimum required service account; apply filesystem-level access controls or read-only volume mounts in container deployments to prevent untrusted processes from modifying JSON session files; and where the shell receiver feature is not required, consider disabling or removing the ShellReceiver and associated action classes at the application layer. HarborGuard monitors the upstream advisory and the microsoft/UFO repository on every ingest cycle. The moment Microsoft publishes a fix, a patched-image rebuild becomes available, and for customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads are triggered automatically.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • microsoft / UFO
    <= 3.0.0
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References