Microsoft announced MDASH, its new artificial intelligence-supported security platform. The system, called Multi-Model Agentic Scanning Harness, enabled the detection of 16 previously unknown vulnerabilities in the network and authentication components of Windows. Four of these vulnerabilities pose a critical risk of remote code execution. MDASH scans for vulnerabilities with more than 100 artificial intelligence agents.
Developed by Microsoft’s Autonomous Code Security team, MDASH works differently from the classical scanning approach based on a single artificial intelligence model. The platform brings together more than 100 dedicated artificial intelligence agents in the same security research process. These agents examine the code base, remove suspicious points, discuss the findings, extract similar results, and bring verifiable vulnerabilities to the proof stage.
The system; It proceeds on a line consisting of preparation, scanning, verification, deduplication and proof steps. During the preparation phase, the code base is analyzed, the attack surface is extracted, and a threat model is created based on past changes. During the screening phase, special auditor agents identify candidate openings. On the validation side, different agents discuss the accessibility and exploitability of these findings.
Then, the results indicating the same finding are combined and the existence of vulnerabilities is verified with trigger entries in the appropriate error classes. According to the information shared by Microsoft, MDASH was used to find a total of 16 CVEs in the Windows TCP/IP stack, IKEEXT IPsec service, HTTP.sys, Netlogon, DNS resolution component and Telnet client. 10 of these vulnerabilities are in the kernel-mode category and 6 are in the user-mode category.
Most of the findings are accessible over the network without authentication. Among the critical vulnerabilities, CVE-2026-33827 stands out as a use-after-free bug in the tcpip.sys component that can be triggered remotely and without authentication. According to Microsoft’s statement, the vulnerability is caused by incorrect management of the lifecycle of a Path object that is referenced in the Windows IPv4 receiving path.
This error, which can be triggered through attacker-controlled packet data, is classified as critical because it runs in the context of the kernel. Another critical vulnerability, CVE-2026-33824, is in the IKEEXT service. IKEEXT is among the components responsible for IKE and AuthIP switching operations in Windows. Microsoft states that this vulnerability can be accessed remotely and without authentication on systems configured as IKEv2 responders.
The bug causes a double release issue under certain conditions and poses a risk of remote code execution because IKEEXT operates with LocalSystem privileges. Other critical vulnerabilities found by MDASH include CVE-2026-41089 in the Netlogon component and CVE-2026-41096 in the DNS API side. The list also includes different vulnerabilities on tcpip.sys in the classes of denial of service, information leak, security feature bypass and privilege escalation.
There is a denial of service vulnerability related to the QUIC control flow on the HTTP.sys side, and an information leak vulnerability caused by incorrect data reading in the Telnet client. Microsoft states that MDASH not only produces the open candidate, but also works on validating the findings and reducing false positives. In the company’s trial on its special test drive, StorageDrive, 21 vulnerabilities were deliberately added to the system.
MDASH detected all 21 of these vulnerabilities and produced zero false positives in testing. The platform’s performance was not limited to in-house testing. Microsoft also measured MDASH against past Microsoft Security Response Center incidents. The system achieved a 96 percent recall rate across 28 five-year MSRC cases on clfs.sys. On the tcpip.sys side, all seven previous MSRC cases were detected again. The Public CyberGym benchmark also achieved an 88.45 percent success rate across 1,507 real-world vulnerability tasks.
MDASH is currently used internally by Microsoft’s security engineering teams. The platform is also being tested in private preview with a limited number of customers. Microsoft states that the real difference in this architecture comes not from a single model, but from the agent-based verification and proof line built around the model.
Comments
You can write your views about this story. Comments may be moderated according to site settings.