Security experts from Pentera Labs have revealed a critical vulnerability that can transform a compromised email inbox into a tool for remote code execution on a victim’s device. This method does not rely on traditional malware or phishing techniques but instead exploits the victim’s own Claude Desktop assistant.
Uncovering the Attack Method
The researchers discovered that gaining access to a platform aggregating customer emails allowed them to exploit the authentication process. This access enabled them to infiltrate the victim’s Claude account, specifically targeting the ‘Personal Preferences’ field. This field, editable by the user and synchronized across all devices linked to the account, presented an ideal attack vector.
By encoding a subtle prompt into this field, attackers could manipulate Claude Desktop to execute commands without requiring the user’s re-authentication or awareness. The assistant would then act on these attacker-controlled instructions upon the victim’s next app interaction.
Executing Remote Commands
The injected payload compelled Claude to identify and utilize any installed extensions capable of executing commands, such as the Desktop Commander MCP tool. If such an extension was present, the assistant would automatically carry out the malicious commands during regular usage.
In cases where no command-capable extension existed, Claude facilitated social engineering by displaying deceptive error messages. These messages prompted users to install Desktop Commander, thereby enabling the execution of attacker instructions once the extension was active.
Wider Security Implications
Additional research has highlighted similar vulnerabilities in Claude’s extension infrastructure. LayerX reported a zero-click remote code execution (RCE) flaw in Claude Desktop Extensions (DXT) triggered by a crafted calendar event. Meanwhile, Koi Security identified command injection issues in Anthropic’s Chrome, iMessage, and Apple Notes connectors, which have since been patched.
Pentera informed Anthropic about these vulnerabilities in November 2025. Although Anthropic recognized the findings, it did not classify them as security issues, considering the behavior of executing code through Claude Desktop as intended functionality. They pointed to existing security measures and future plans to enhance safeguards while emphasizing that an initial account compromise is necessary for such attacks.
Recommendations for Security Teams
Organizations are advised to treat AI desktop applications with caution, recognizing their capacity to execute code and access local files. Monitoring unauthorized changes to assistant settings and limiting which extensions can interact with AI clients are crucial steps in mitigating risks.
As AI assistants evolve, understanding the disparity between their perceived and actual capabilities is becoming an essential aspect of enterprise risk management. Companies must adapt to these emerging threats to protect their digital environments.
