Microsoft Addresses Vulnerability in New NLWeb Protocol

• In NLWeb, a serious vulnerability has been identified that allows attackers to gain access to sensitive data.
• Microsoft quickly addressed the issue, but did not assign it a CVE.
• The vulnerability underscores the risks of older vulnerabilities in new artificial intelligence systems.

This is reported by Mezha, The Verge.

In April, Microsoft introduced NLWeb, a new protocol intended to change the internet, allowing websites to perform actions in plain language, similar to a chatbot. However, shortly after its introduction, a serious vulnerability in the protocol was discovered, as reported by The Verge.

On May 20, during the Build 2025 conference, Microsoft announced NLWeb, and just on May 28, researchers from cybersecurity Aonan Guan and Lei Wang reported the vulnerability. It allowed attackers to gain access to sensitive files, including configuration files of the system and API keys for OpenAI and Gemini.

This vulnerability, which is a classic example of an exploit, can be easily exploited by attackers. Microsoft promptly reacted, releasing an update on June 1. However, the new vulnerability raised serious questions about the company's approach to security. The company has been criticized for not addressing this issue with a CVE, which classifies the vulnerability as being more prone to exploitation.

"This incident is an important reminder that during the creation of new systems based on artificial intelligence, we should pay more attention to the impact of classic vulnerabilities, which can now compromise not only servers but also the 'mosaic' of the agents themselves," noted Guan.

Microsoft also acknowledged the vulnerability, stating that all clients using the repository, including Shopify, Snowflake, and TripAdvisor, are automatically protected. "This issue was promptly reported, and we updated the open repository," said Microsoft spokesperson Ben Houp.

Tags: Technology