CVE-2025-67511
Published: 11 December 2025
Description
Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs…
more
are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the command injection vulnerability by requiring validation of all inputs, including unescaped username, host, and port parameters in run_ssh_command_with_credentials().
Requires monitoring for vulnerabilities like CVE-2025-67511 and timely remediation through patching, as indicated by the available GitHub commit.
Enforces least privilege on AI agents and the CAI process to limit the scope and impact of arbitrary command execution resulting from the injection.
Security SummaryAI
CVE-2025-67511 is a command injection vulnerability (CWE-77) in the open-source Cybersecurity AI (CAI) framework, which supports building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are affected specifically in the run_ssh_command_with_credentials() function, accessible to AI agents. While password and command inputs are escaped to prevent shell injection, the username, host, and port parameters remain unescaped and thus injectable.
The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and high impacts across confidentiality, integrity, and availability. Attackers can exploit it by tricking users or AI agents into supplying malicious values for the injectable fields, enabling arbitrary command execution on the host running CAI.
Published on 2025-12-11, the advisory notes no fix was available at that time. A related commit (https://github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c) addresses the issue, with further details in the GitHub security advisory (https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h) and a technical blog post (https://www.hacktivesecurity.com/blog/2025/12/10/cve-2025-67511-tricking-a-security-ai-agent-into-pwning-itself).
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Cybersecurity AI (CAI) is a framework for building and deploying AI-powered automation with functions available to AI agents, such as run_ssh_command_with_credentials for SSH integrations, fitting AI agent protocols and integrations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in run_ssh_command_with_credentials() via unescaped username, host, and port parameters enables arbitrary shell command execution on the host running CAI, mapping to T1059 (Command and Scripting Interpreter) and specifically T1059.004 (Unix Shell) given the SSH context.