Cyber Posture

CVE-2026-25807

HighPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

ZAI Shell is an autonomous SysOps agent designed to navigate, repair, and secure complex environments. Prior to 9.0.3, the P2P terminal sharing feature (share start) opens a TCP socket on port 5757 without any authentication mechanism. Any remote attacker can…

more

connect to this port using a simple socket script. An attacker who connects to a ZAI-Shell P2P session running in --no-ai mode can send arbitrary system commands. If the host user approves the command without reviewing its contents, the command executes directly with the user's privileges, bypassing all Sentinel safety checks. This vulnerability is fixed in 9.0.3.

Mitigating Controls (NIST 800-53 r5)AI

AC-17 Remote Access good match
prevent

AC-17 requires authentication, authorization, and monitoring for remote access mechanisms, directly mitigating the unauthenticated TCP socket opened by the P2P terminal sharing feature.

SC-41 Port and I/O Device Access good match
prevent

SC-41 restricts access to specific ports like 5757, preventing remote attackers from connecting to the exposed P2P socket.

CM-7 Least Functionality good match
prevent

CM-7 prohibits or restricts non-essential functions, ports, and services such as the vulnerable P2P sharing feature to minimize attack surface.

Security SummaryAI

CVE-2026-25807 affects ZAI Shell, an autonomous SysOps agent designed to navigate, repair, and secure complex environments, in versions prior to 9.0.3. The vulnerability resides in the P2P terminal sharing feature, invoked via the "share start" command, which opens a TCP socket on port 5757 without any authentication mechanism. This exposes the socket to remote connections, enabling potential code injection as classified under CWE-94, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this by connecting to the exposed port 5757 using a simple socket script, without requiring privileges or authentication. When ZAI Shell is running in --no-ai mode, the attacker can send arbitrary system commands through the P2P session. If the host user approves the command without reviewing its contents, it executes directly with the user's privileges, bypassing all Sentinel safety checks and potentially leading to high confidentiality, integrity, and availability impacts.

The vulnerability is fixed in ZAI Shell version 9.0.3. Mitigation details are available in the GitHub security advisory (GHSA-6pjj-r955-34rr), the release notes for v9.0.3, and the fixing commit (a4ea8525d912f55d6e2f09b2869966c52d189a4a), which security practitioners should review for patch implementation guidance.

Details

CWE(s)
CWE-94

Affected Products

taklaxbr
zai shell
≤ 9.0.3

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: ai

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

The vulnerability exposes an unauthenticated public-facing TCP socket (port 5757) exploitable remotely for initial access (T1190) and enables arbitrary system command execution via command injection (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References