Tongyi Lab A.I CyberSecurity Scoring
Tongyi Lab
Company Information
Website:https://careers-tongyi.alibaba.com/?lang=zh
Employees number:22
Number of followers:821
NAICS:5417
Industry Type:Research Services
Homepage:alibaba.com
Tongyi Lab Risk Score (AI oriented)
Between 700 and 749
Tongyi LabResearch Services
Updated:
13/03/2026
13/03/2026
748/1000
Moderate
Ba
Tongyi Lab Global Score (TPRM)
xxxx
Tongyi LabResearch Services
Score locked

Tongyi LabModerate
Current Score
748Ba (MODERATE)
01000
1 incidents
-2 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
749
JUNE 2026
749
MAY 2026
749
APRIL 2026
749
MARCH 2026
750
Vulnerability
04 Mar 2026 • Tongyi Lab
ModelScope: MS-Agent Vulnerability Let Attackers Hijack AI Agent to Gain Full System Control
Critical RCE Vulnerability in MS-Agent AI Framework Exposes Systems to Full Compromise
748
CRITICAL-2
ALI1772620145
Critical RCE Vulnerability in MS-Agent AI Framework Exposes Systems to Full Compromise
A severe security flaw (CVE-2026-2256) has been identified in ModelScope’s MS-Agent framework, a lightweight tool enabling AI agents to execute autonomous system commands. The vulnerability, rated 9.8 (CVSS v3.1), allows attackers to perform remote code execution (RCE) by exploiting inadequate input sanitization in the framework’s "Shell tool."
The flaw stems from prompt injection attacks, where malicious commands embedded in seemingly benign input such as documents or code are passed unsanitized to the OS. While MS-Agent employs a basic `check_safe()` denylist to block dangerous commands, researchers found it can be bypassed through command obfuscation or alternative syntax, rendering the defense ineffective.
Successful exploitation grants attackers arbitrary command execution with the same privileges as the MS-Agent process, enabling:
- Data exfiltration of sensitive files accessible to the AI.
- Modification or deletion of critical system files.
- Persistence mechanisms, including backdoor installation.
- Lateral movement across enterprise networks.
As of the CERT/CC disclosure, the vendor has not released a patch or official response. Organizations using MS-Agent are urged to mitigate risks by sandboxing the agent, enforcing least-privilege access, validating all ingested content, and replacing denylists with strict allowlists to restrict permitted commands. The incident underscores the escalating security risks of AI agents with unchecked OS access.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2026
750
JANUARY 2026
750
DECEMBER 2025
750
NOVEMBER 2025
750
OCTOBER 2025
750
SEPTEMBER 2025
750
AUGUST 2025
750
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Tongyi Lab ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in June 2026 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in May 2026 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in April 2026 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in March 2026 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in February 2026 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in January 2026 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in December 2025 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in November 2025 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in October 2025 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in September 2025 ??
What was Tongyi Lab's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Tongyi Lab's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Tongyi Lab ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Tongyi Lab's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?