Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
CyberSecurity News

Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root

Key Takeaways A critical vulnerability chain in Anthropic’s Claude Cowork sandbox allowed local privilege escalation to root. Attackers could execute arbitrary commands as the root user within...

David kimber
David kimber
July 2, 2026 3 Min Read
3 0

Key Takeaways

  • A critical vulnerability chain in Anthropic’s Claude Cowork sandbox allowed local privilege escalation to root.
  • Attackers could execute arbitrary commands as the root user within the product’s isolated Linux virtual machine.
  • The exploit bypassed multiple layers of security, including Authenticode signature checks and sandbox user isolation.
  • The vulnerability affects Claude Desktop for Windows version 1.9255.2.0.
  • A fix has likely been implemented by Anthropic, though details on patch availability were not specified in the original research.

Root-Level Access Achieved in Claude Cowork Sandbox Through Critical Vulnerability Chain

A sophisticated vulnerability chain discovered in Anthropic’s Claude Cowork product enables an attacker with local code execution to escalate privileges, ultimately running arbitrary commands as root within the product’s isolated Linux sandbox. This exploit successfully circumvents multiple defensive layers designed by Anthropic to secure the environment.

Table Of Content

  • Key Takeaways
  • Root-Level Access Achieved in Claude Cowork Sandbox Through Critical Vulnerability Chain
  • Unraveling the Sandbox Vulnerability
  • Download Free Microsoft Vulnerabilities Report 2026 – A The latest Microsoft Vulnerabilities data, analyzed.
  • What You Should Do

Claude Cowork serves as Anthropic’s offering for knowledge workers, providing non-technical users access to Claude Code for tasks such as tool development and data processing. On Windows systems, Cowork encapsulates Claude Code within a Hyper-V-isolated Ubuntu virtual machine. This VM is fortified with several security mechanisms, including Authenticode-gated named-pipe RPC, bubblewrap namespaces, unprivileged per-session users, a seccomp filter, and a domain-restricted egress proxy.

Unraveling the Sandbox Vulnerability

Armadin’s research aimed to achieve silent, arbitrary code execution as root within the VM, coupled with unrestricted network access, and ultimately proved successful in this endeavor.

The Cowork application on Windows provisions its sandbox using the Host Compute Service, deploying an Ubuntu VM that remains hidden from standard Hyper-V management tools. Its presence can only be confirmed by an Administrator using the hcdiag list command.

A Local System service, named CoworkVMService, manages desktop connections via a named pipe (\.pipecowork-vm-service) which hosts a JSON-based RPC server. This service enforces Authenticode signature checks to validate incoming connections, ensuring the caller is signed by “Anthropic, PBC.” Armadin’s attempts to bypass this validation using cloned signature blobs or alternative trust chains were unsuccessful against WinVerifyTrust.

Researchers then shifted their focus to DLL sideloading, a technique documented as MITRE ATT&CK T1574.002. They discovered that claude.exe prioritizes resolving USERENV.dll from its own application directory before resorting to the system’s copy. By creating a malicious DLL that exported GetUserProfileDirectoryW and naming it USERENV.dll, Armadin successfully achieved arbitrary code execution within a legitimately signed Anthropic binary. This allowed them to satisfy the pipe’s identity verification without compromising its integrity.

With code execution established within claude.exe, Armadin leveraged an AI coding agent to reverse-engineer the RPC protocol. This was accomplished by analyzing service logs, error messages, and through JSON fuzzing. The protocol utilized a straightforward [4-byte length][JSON payload] framing and exposed critical methods such as configure, startVM, isGuestConnected, and crucially, spawn.

Most of the sandbox’s protective measures initially held firm. Attempts to add users with reserved names like ‘root’ were rejected, the egress proxy blocked non-allowlisted domains with 403 errors, and NTFS junctions were not traversed into the guest VM.

The pivotal breakthrough came through two parameters within the spawn method that were forwarded verbatim to the VM’s sdk-daemon: isResume and allowedDomains. By fuzzing malformed JSON, Armadin exploited Go’s descriptive unmarshaling errors to fully enumerate the parameter schema.

Typically, setting isResume: false mandates the creation of a new, unprivileged user. However, by setting isResume: true, Armadin bypassed the existing-user check entirely. This allowed the daemon to execute commands as any specified user, including root, without any further validation. Sending the payload {"name": "root", "isResume": true} successfully returned a root shell within the bubblewrap sandbox.

Armadin confirmed the complete kill chain against Claude Desktop for Windows version 1.9255.2.0. While Anthropic’s threat model does not explicitly account for local execution requirements, this discovery underscores the ease with which privilege boundaries within “sandboxed” AI agent tools can be breached once initial access is obtained.

Download Free Microsoft Vulnerabilities Report 2026
– A The latest Microsoft Vulnerabilities data, analyzed.


Download Now

What You Should Do

  • Ensure your Claude Desktop for Windows application is updated to the latest available version. Anthropic has likely issued a patch for this vulnerability.
  • Implement robust endpoint detection and response (EDR) solutions to monitor for unusual process execution and DLL sideloading attempts.
  • Educate users about the risks of executing untrusted code or opening suspicious files, even within seemingly sandboxed environments.
  • Regularly review and audit application logs for any indicators of compromise or anomalous activity within sandboxed applications.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader

Next Post

New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us