📄 Description (English)
A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skills_guard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREAT_PATTERNS leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-9353 is a high-severity injection vulnerability in NousResearch hermes-agent affecting the Skills Guard Multi-Word Prompt Handler component. The vulnerability allows remote attackers to manipulate THREAT_PATTERNS arguments to inject malicious code, with public exploit disclosure and no vendor patch available. This poses significant risk to organizations deploying AI agent systems for security-critical operations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 26, 2026 19:37
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations at highest risk include: (1) Government agencies (NCA, CITC) deploying AI-driven security monitoring and threat analysis systems; (2) Banking sector (SAMA-regulated institutions, major banks) using hermes-agent for fraud detection and security operations; (3) Critical infrastructure operators (ARAMCO, SEC, water utilities) relying on AI agents for threat pattern recognition; (4) Telecom providers (STC, Mobily) using agent-based security systems. The injection vulnerability could allow attackers to bypass security controls, manipulate threat detection logic, and potentially gain unauthorized access to sensitive systems.
🏢 Affected Saudi Sectors
Government & Public Administration
Banking & Financial Services
Critical Infrastructure (Energy, Water, Utilities)
Telecommunications
Healthcare
Defense & Security
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application (remote exploitation of hermes-agent)
T1059 - Command and Scripting Interpreter (code injection via THREAT_PATTERNS)
T1203 - Exploitation for Client Execution (injection leading to code execution)
T1047 - Windows Management Instrumentation (potential lateral movement post-exploitation)
T1021 - Remote Services (remote exploitation capability)
T1098 - Account Manipulation (potential privilege escalation via injection)
T1005 - Data from Local System (access to threat pattern configurations)
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all systems running NousResearch hermes-agent versions up to 2026.4.23
2. Isolate affected systems from production networks if possible
3. Implement network segmentation to restrict access to hermes-agent components
4. Enable enhanced logging and monitoring on Skills Guard Multi-Word Prompt Handler
COMPENSATING CONTROLS (until patch available):
5. Implement input validation and sanitization for THREAT_PATTERNS arguments using whitelist-based filtering
6. Deploy Web Application Firewall (WAF) rules to detect and block injection attempts targeting agent/skills_guard.py
7. Apply strict access controls limiting who can modify THREAT_PATTERNS configurations
8. Implement runtime application self-protection (RASP) to detect injection attacks
9. Use containerization with read-only filesystems to limit exploitation impact
DETECTION RULES:
10. Monitor for suspicious THREAT_PATTERNS modifications in audit logs
11. Alert on unexpected process execution spawned from hermes-agent processes
12. Track unusual outbound connections from agent components
13. Implement YARA rules to detect known injection payloads in THREAT_PATTERNS
PATCHING:
14. Contact NousResearch for security updates or consider alternative AI agent solutions
15. Evaluate migration to patched versions once available
16. Maintain offline backups of critical configurations
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع الأنظمة التي تشغل إصدارات NousResearch hermes-agent حتى 2026.4.23
2. عزل الأنظمة المتأثرة عن شبكات الإنتاج إن أمكن
3. تطبيق تقسيم الشبكة لتقييد الوصول إلى مكونات hermes-agent
4. تفعيل السجلات والمراقبة المحسنة على معالج الأنماط متعدد الكلمات
الضوابط التعويضية (حتى توفر التصحيح):
5. تطبيق التحقق من صحة المدخلات والتطهير لحجج THREAT_PATTERNS باستخدام التصفية القائمة على القائمة البيضاء
6. نشر قواعد جدار الحماية لتطبيقات الويب (WAF) للكشف عن محاولات الحقن وحجبها
7. تطبيق ضوابط وصول صارمة لتحديد من يمكنه تعديل تكوينات THREAT_PATTERNS
8. تطبيق حماية التطبيقات في وقت التشغيل (RASP) للكشف عن هجمات الحقن
9. استخدام الحاويات مع أنظمة الملفات للقراءة فقط لتحديد تأثير الاستغلال
قواعد الكشف:
10. مراقبة تعديلات THREAT_PATTERNS المريبة في سجلات التدقيق
11. التنبيه على تنفيذ العمليات غير المتوقعة من عمليات hermes-agent
12. تتبع الاتصالات الخارجية غير العادية من مكونات الوكيل
13. تطبيق قواعد YARA للكشف عن حمولات الحقن المعروفة في THREAT_PATTERNS
التصحيح:
14. الاتصال بـ NousResearch للحصول على تحديثات أمان أو النظر في حلول وكيل ذكي بديلة
15. تقييم الترحيل إلى إصدارات مصححة عند توفرها
16. الحفاظ على نسخ احتياطية غير متصلة من التكوينات الحرجة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies (incident response for injection attacks)
ECC 2024 A.5.2.1 - Access Control (restrict THREAT_PATTERNS modifications)
ECC 2024 A.5.3.1 - Cryptography (protect sensitive agent configurations)
ECC 2024 A.5.4.1 - Physical and Environmental Security (isolate affected systems)
ECC 2024 A.5.5.1 - Operations Security (monitoring and logging of agent activities)
🔵 SAMA CSF
SAMA CSF Governance - Risk Management (assess AI agent security risks)
SAMA CSF Governance - Third-Party Risk Management (vendor security assessment)
SAMA CSF Protective - Access Control (implement input validation)
SAMA CSF Protective - Data Protection (protect threat pattern configurations)
SAMA CSF Detective - Monitoring and Logging (detect injection attempts)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security (incident response procedures)
ISO 27001:2022 A.5.2 - Information security roles and responsibilities
ISO 27001:2022 A.5.3 - Segregation of duties (restrict THREAT_PATTERNS access)
ISO 27001:2022 A.5.15 - Supplier relationships (vendor security assessment)
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.6.2 - Internal audit (assess hermes-agent security controls)
ISO 27001:2022 A.7.4 - Removal of access rights (deprovisioning from affected systems)
ISO 27001:2022 A.8.1 - User endpoint devices (protect systems running hermes-agent)
ISO 27001:2022 A.8.3 - Cryptography (encrypt sensitive configurations)
ISO 27001:2022 A.8.6 - Management of technical vulnerabilities (patch management)
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall configuration standards (WAF rules for injection detection)
PCI DSS 2.1 - Change default vendor passwords and security parameters
PCI DSS 2.4 - Document and implement security configuration standards
PCI DSS 6.2 - Security patches and updates (monitor for vendor patches)
PCI DSS 6.5.1 - Injection flaws prevention (input validation for THREAT_PATTERNS)
PCI DSS 10.2 - Implement automated audit trails (log THREAT_PATTERNS modifications)
PCI DSS 10.3 - Protect audit trail history (secure logging mechanisms)