Security researchers have identified a critical vulnerability in Microsoft’s NLWeb, a generative AI tool launched recently, that permits unauthorized remote access to sensitive files. Discovered during a security audit by Aonan Guan and Lei Wang, this flaw allows attackers to exploit malformed URLs to gain access to critical system files, including configurations and cloud credentials. The issue stems from a path traversal vulnerability linked to improper code sanitization and lack of final path validation. While Microsoft patched the issue, no Common Vulnerability Enumeration (CVE) was issued. Guan recommends organizations using NLWeb update to the latest version, implement Web Application Firewall (WAF) protections, avoid exposing NLWeb to the public internet, and monitor for suspicious HTTP requests. This incident underscores the need for rigorous security assessments of new AI technologies to prevent exploitation of legacy vulnerabilities. Stay informed on the latest cybersecurity developments by following relevant news platforms.
Source link