Hardening / mitigation

Patch first. Upgrade Python SDK to ≥ 1.39.4 and .NET SDK to ≥ 1.71.0. The patched releases also include the upstream test additions covering the bypass patterns.
If immediate upgrade is blocked, implement a Function Invocation Filter (the SDK-supported hook documented in the Microsoft research post) to allowlist the methods and parameters that may be called. This neutralises the unintended-[KernelFunction] exposure on the .NET side and reduces the Python-side blast radius even if the validator is bypassed.
Audit every [KernelFunction]-decorated method in your codebase for parameter types that are paths, file handles, raw strings later interpolated into code, SQL fragments, or URLs; remove the decorator from anything that does not need to be LLM-callable.
Treat LLM-supplied inputs to filter / templating / dispatch as untrusted at the SDK boundary — the same bar as request-body validation on a REST endpoint. Allowlist parameter types, validate paths against canonicalised roots, parameterise filter expressions instead of interpolating them.
Network segmentation around agent hosts. A Semantic Kernel agent host with read access to internal systems and outbound internet access is an obvious post-RCE pivot point; the agent process should run with the same network and credential constraints as any internet-exposed application server.