Vulnerabilities in the Claude Desktop utility that make AI assistants a threat

The rapid development of artificial intelligence tools such as Claude, ChatGPT or Copilot is making them familiar “digital assistants” on personal computers and in corporate environments. However, a serious security problem recently discovered at the development company Claude Anthropic has shown that even mainstream AI software can become a dangerous vulnerability if there are flaws in the security design.

Three official Claude Desktop extensions including Chrome, iMessage, and Apple Notes, with a total of over 350,000 downloads, were found to contain remote code execution (RCE) vulnerabilities of high severity. The vulnerability allows the attacker to gain control of the user’s computer only through a seemingly harmless chat interaction, without the user having to download or run the malicious code in the traditional way.

The cause of the problem is a long – known error in programming that causes a command insertion error. In this case, the Claude Desktop utility handles user input via AppleScript but does not perform filtering or “escaping” special characters. Because these utilities run with full system permissions, attackers may take advantage of “chain denial” to illegally insert and execute commands directly on the victim’s machine.

An attack scenario is particularly dangerous in that it does not require unusual behavior from the user. As long as Claude accessed a site containing malicious payloads during the normal question – answering process, the malicious code could be executed immediately. Potential consequences include the theft of an SSH key, a browser password, cloud information such as AWS, or paving the way for further attacks on the system.

Anthropic evaluated the vulnerability at CVSS 8.9 and quickly released an emergency patch. However, the concern does not stop at three official utilities. The Model Context Protocol (MCP) ecosystem is expanding rapidly, with many utilities created using AI that support programming but have not yet undergone rigorous security testing. Since many MCP utilities also have access to the same system, they become attractive targets for hackers.

Experts recommend that users immediately update the latest patches, limit installation of AI utilities from unknown sources, and implement behavioral monitoring solutions such as EDR to detect abnormal activity early. This incident is a clear warning that in the AI desktop era, a small error can also lead to serious consequences if not tightly controlled.