UPDATED 11:00 EDT / JULY 01 2026

SECURITY

Armadin details full sandbox escape in Claude Cowork but Anthropic disputes risk

Security researchers at Armadin Inc. today detailed an attack chain that runs arbitrary commands as root inside the sandbox behind Anthropic PBC’s Claude Cowork, escaping the isolation layer, with a second flaw stripping the network restrictions meant to contain it.

Anthropic, however, does not consider it a security issue. Armadin reported the chain on March 20 and Anthropic responded on March 24 that it did not qualify because pulling it off requires an attacker to already have local code execution on the host machine. Armadin validated the chain against Claude Desktop for Windows version 1.9255.2.0.

Cowork is Anthropic’s product for knowledge workers, automating non-technical tasks and it runs Claude Code inside a sandbox to do so. On Windows, the sandbox is a Hyper-V-isolated Ubuntu virtual machine wrapped in several layers of protection, including signature-gated communication, per-session unprivileged users, a seccomp filter and a proxy that restricts which domains the machine can reach. Armadin set out to quietly execute code inside that virtual machine as root with no egress limits.

The entry point was a Windows service called CoworkVMService, which exposes a named pipe that handles requests to the virtual machine. The service checks the signature of whatever program connects to it and confirms the subject is Anthropic before accepting commands. Armadin could not forge that signature, so it took a different route. The team used a technique called DLL sideloading, a common red-team method that loads attacker-controlled code into a legitimately signed binary, against claude.exe itself.

Because claude.exe loaded a system library called USERENV.dll from its own directory before falling back to the genuine copy, a malicious file with the same name and the right exported function dropped alongside the executable ran inside the signed process. That inherited the trust the service was checking for, giving Armadin a valid client.

From there the researchers reconstructed the service’s undocumented command set by reading its log files and feeding malformed inputs to see which errors named the expected fields. The break came from two parameters on the command that spawns processes in the virtual machine, both of which the host service passed through without inspecting them.

The first, a resume flag, normally forced the daemon to create a fresh unprivileged user for each command. Setting it to true skipped that check and let Armadin run a command as any existing user, including root. That returned a shell with every Linux capability and no profile confinement and from inside it the researchers used nsenter against the first process to step out of the sandbox into the wider virtual machine.

The second parameter overrode the domain allowlist on a per-command basis. Setting it to a wildcard switched off network filtering entirely, which Armadin confirmed by reaching an outside server the default configuration blocks.

Combined in a single request, the two parameters ran as root, escaped the sandbox and exfiltrated the machine’s password file to an attacker-controlled host. The boundary the service was meant to enforce, that each client only saw its own session, was left entirely to the client to respect.

The disclosure comes as a broader argument about what artificial intelligence productivity tools add to corporate endpoints. Armadin noted that local virtual machines were historically a developer feature and that pushing one onto nontechnical user systems creates visibility gaps endpoint security products struggle to see into.

For organizations that do not need Cowork, the company recommends uninstalling Claude Desktop, which removes the service. Where it is needed, application “allowlisting” can limit which accounts a sideloading payload can target and monitoring for unexpected loads of USERENV.dll outside the system directory flags the technique.

Armadin is a familiar name. The company, led by Mandiant founder and Chief Executive Kevin Mandia, raised a cybersecurity industry record of $189.9 million in seed and Series A funding in March to develop its AI-driven attack simulation platform.

Image: SiliconANGLE/Ideogram

A message from John Furrier, co-founder of SiliconANGLE:

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.