CVE-2025-67511

CRITICAL
2025-12-11 [email protected] GHSA-4c65-9gqf-4w8h
9.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 17, 2026 - 21:15 vuln.today
Patch Released
Mar 17, 2026 - 21:15 nvd
Patch available
PoC Detected
Mar 17, 2026 - 21:07 vuln.today
Public exploit code
CVE Published
Dec 11, 2025 - 00:16 nvd
CRITICAL 9.6

Tags

Command Injection Ssh AI / ML RCE Cybersecurity Ai

Description

Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.

Analysis

A critical command injection vulnerability exists in the Cybersecurity AI (CAI) framework versions 0.5.9 and below, allowing attackers to execute arbitrary commands through unsanitized SSH parameters (username, host, port) in the run_ssh_command_with_credentials() function accessible to AI agents. The vulnerability has a publicly available proof-of-concept exploit and enables remote code execution with potential for complete system compromise, though real-world exploitation probability remains relatively low at 0.12% EPSS score despite the high CVSS rating of 9.6.

Technical Context

The Cybersecurity AI (CAI) framework, identified as cpe:2.3:a:aliasrobotics:cybersecurity_ai:*:*:*:*:*:*:*:*, is an open-source platform for building AI-powered security automation tools. The vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in a Command), where the run_ssh_command_with_credentials() function only escapes password and command inputs but fails to sanitize username, host, and port parameters before passing them to shell commands. This allows attackers to inject shell metacharacters and execute arbitrary commands when these parameters are processed by the underlying SSH client.

Affected Products

The Cybersecurity AI (CAI) framework versions 0.5.9 and below are affected by this vulnerability, as confirmed by CPE identifier cpe:2.3:a:aliasrobotics:cybersecurity_ai:*:*:*:*:*:*:*:*. The vulnerability specifically impacts installations where AI agents have access to the run_ssh_command_with_credentials() function for offensive or defensive automation tasks. Detailed technical information is available in the GitHub Security Advisory at https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h and the security researcher's blog post at https://www.hacktivesecurity.com/blog/2025/12/10/cve-2025-67511-tricking-a-security-ai-agent-into-pwning-itself.

Remediation

At the time of publication, no official patch is available from the vendor despite a commit (https://github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c) being referenced. Organizations should immediately disable or restrict access to the run_ssh_command_with_credentials() function in their CAI deployments, implement input validation for all SSH parameters (username, host, port) before processing, and consider sandboxing AI agent operations to limit potential damage. Monitor the GitHub advisory at https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h for updates on patch availability and apply immediately when released.

Priority Score

68
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +48
POC: +20

Share

CVE-2025-67511 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy