A vulnerability chain in Anthropic’s Claude Cowork allows an attacker with local code execution to escalate privileges and run arbitrary commands as root inside the product’s isolated Linux sandbox, bypassing every layer of defense Anthropic built into the environment.
Claude Cowork is Anthropic’s product for knowledge workers, designed to let non-technical users leverage Claude Code for building tools and processing data.
On Windows, Cowork wraps Claude Code inside a Hyper-V-isolated Ubuntu VM, protected by Authenticode-gated named-pipe RPC, bubblewrap namespaces, per-session unprivileged users, a seccomp filter, and a domain-restricted egress proxy.
Cowork’s Sandbox Vulnerability
Armadin’s research aimed to quietly execute arbitrary code inside the VM as root with unrestricted network access and succeeded.

Cowork on Windows provisions its sandbox via the Host Compute Service, running an Ubuntu VM invisible to standard Hyper-V tooling (confirmable only via hcdiag list as Administrator).
A Local System service, CoworkVMService, manages desktop connections through a named pipe (\\.\pipe\cowork-vm-service) that hosts a JSON-based RPC server.
CoworkVMService validates connections using Authenticode signature checks, confirming the caller is signed by “Anthropic, PBC.” Armadin’s attempts to bypass this via cloned signature blobs or alternate trust chains both failed against WinVerifyTrust.
Instead, researchers pivoted to DLL sideloading (MITRE ATT&CK T1574.002). They found that claude.exe resolves USERENV.dll from its own application directory before falling back to the system copy.
By crafting a malicious DLL exporting GetUserProfileDirectoryW and naming it USERENV.dll, Armadin achieved arbitrary code execution inside a legitimately signed Anthropic binary — satisfying the pipe’s identity check without breaking it.
With code execution inside claude.exe, Armadin used an AI coding agent to reverse-engineer the RPC protocol from service logs, error messages, and JSON fuzzing. The protocol used a simple [4-byte length][JSON payload] framing, exposing methods like configure, startVM, isGuestConnected, and critically, spawn.
Most sandbox protections held firm under direct attack: useradd rejected reserved usernames like root, the egress proxy blocked non-allowlisted domains with 403 errors, and NTFS junctions weren’t followed into the guest.
The break came from two spawn parameters forwarded verbatim to the VM’s sdk-daemon: isResume and allowedDomains. By fuzzing malformed JSON, Armadin used Go’s descriptive unmarshaling errors to enumerate the full parameter schema.
Normally, isResume: false forces creation of a fresh unprivileged user. But setting isResume: true bypassed the existing-user check entirely — allowing the daemon to execute commands as any specified user, including root, with no validation.
Sending {"name": "root", "isResume": true} returned a root shell inside the bubblewrap sandbox.
Armadin has validated the complete kill chain against Claude Desktop for Windows version 1.9255.2.0. Although Anthropic’s threat model does not consider local execution requirements, this finding emphasizes that privilege boundaries within “sandboxed” AI agent tools can be easily bypassed once initial access is gained.