Anthropic’s Claude Cowork, a platform designed to assist knowledge workers in building tools and processing data, has been found to contain a critical vulnerability that allows attackers with local code execution capabilities to escalate privileges and execute arbitrary commands as the root user within its isolated Linux sandbox. This flaw effectively bypasses multiple layers of security defenses implemented by Anthropic.
Claude Cowork integrates Claude Code within a Hyper-V-isolated Ubuntu virtual machine (VM) on Windows systems. This setup is fortified with several security measures, including Authenticode-gated named-pipe Remote Procedure Call (RPC), bubblewrap namespaces, per-session unprivileged users, a seccomp filter, and a domain-restricted egress proxy.
Details of the Vulnerability
Security researchers at Armadin conducted an in-depth analysis to determine if arbitrary code could be executed within the VM as the root user, thereby gaining unrestricted network access. Their investigation revealed that the CoworkVMService, a Local System service managing desktop connections, utilizes a named pipe (`\\.\pipe\cowork-vm-service`) to host a JSON-based RPC server. This service validates connections by checking if the caller is signed by “Anthropic, PBC.” Attempts to bypass this validation through cloned signature blobs or alternative trust chains were unsuccessful due to the robustness of the `WinVerifyTrust` function.
However, the researchers identified a vulnerability through Dynamic Link Library (DLL) sideloading. They discovered that `claude.exe` resolves `USERENV.dll` from its application directory before defaulting to the system copy. By crafting a malicious DLL named `USERENV.dll` that exports the `GetUserProfileDirectoryW` function, they achieved arbitrary code execution within a legitimately signed Anthropic binary. This method satisfied the pipe’s identity check without triggering security alerts.
With code execution established inside `claude.exe`, the researchers employed an AI coding agent to reverse-engineer the RPC protocol by analyzing service logs, error messages, and conducting JSON fuzzing. The protocol utilized a simple `[4-byte length][JSON payload]` framing, exposing methods such as `configure`, `startVM`, `isGuestConnected`, and notably, `spawn`.
While most sandbox protections effectively resisted direct attacks—such as `useradd` rejecting reserved usernames like root, the egress proxy blocking non-allowlisted domains, and NTFS junctions not being followed into the guest—the researchers identified a critical oversight. The `spawn` method parameters `isResume` and `allowedDomains` were forwarded verbatim to the VM’s `sdk-daemon`. By sending malformed JSON inputs, they exploited Go’s descriptive unmarshaling errors to enumerate the full parameter schema.
Under normal circumstances, setting `isResume: false` prompts the creation of a new unprivileged user. However, by setting `isResume: true`, the existing-user check was bypassed entirely, allowing the daemon to execute commands as any specified user, including root, without validation. By sending `{“name”: “root”, “isResume”: true}`, the researchers successfully obtained a root shell within the bubblewrap sandbox.
Implications and Recommendations
This vulnerability underscores the potential risks associated with privilege boundaries in AI agent tools that are considered “sandboxed.” While Anthropic’s threat model may not account for scenarios requiring local execution, this finding highlights the necessity for organizations to reassess the security of their development environments. It is crucial to implement comprehensive security measures that address both remote and local attack vectors to safeguard sensitive data and maintain system integrity.