Added Agentic AI and Visual Studio Code

almogbhl · almogbhl · commit dcc9ba1bc57c · 2025-10-01T12:21:08.000+03:00
diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
@@ -30,5 +30,6 @@ Similarly, any aspects relating to incident response should be discussed with th
 | **Microsoft Copilot Studio Security Flaw – 2025**                                  | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments.                                                                                                    | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation)   | • —<br> • —<br> • [Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)|
 | **Flowise Pre-Auth Arbitrary File Upload – Mar 2025**             | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response                                                                                                                                | T11 (Unexpected RCE and Code Attacks)                                  | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319) <br> • [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) |
 | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025**                          | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs                                                                                   | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop)              | • — <br> • — <br> • [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)|
-**ForcedLeak (Salesforce Agentforce)** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)<br> • —<br>• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) |
+**ForcedLeak (Salesforce Agentforce) – Sep 2025** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)<br> • —<br>• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) |
+**Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)<br>• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)<br>• —
 ---
