Cyber Resilience

CVE-2025-61260

CriticalRCE

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0706 93.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-61260 is a critical-severity Code Injection (CWE-94) vulnerability in Checkpoint (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-61260 is a code injection vulnerability (CWE-94) affecting OpenAI Codex CLI versions v0.23.0 and earlier. The flaw enables arbitrary code execution through malicious MCP (Model Context Protocol) configuration files, specifically project-local .env and .codex/config.toml files. Codex automatically loads these files without user confirmation when the 'codex' command is executed, allowing embedded arbitrary commands to run immediately.

The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely with low complexity, no privileges or user interaction required. Attackers can exploit it by compromising a repository or tricking users into running the codex command within one containing malicious configuration files, achieving high-impact confidentiality, integrity, and availability violations through executed arbitrary commands.

Advisories and patches are detailed in references from OpenAI (http://openai.com) and Check Point Research (https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/). Security practitioners should consult these sources for specific mitigation guidance and patch information.

This vulnerability affects an AI-powered code generation tool from OpenAI, highlighting risks in CLI tools that integrate with repositories for AI/ML-assisted development workflows. No real-world exploitation status is available in the provided data.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository.…

more

Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp, model context protocol, openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

The vulnerability enables arbitrary code execution (RCE) in client software (Codex CLI) via malicious config files (T1203) and is facilitated by compromising repositories to host these files (T1195.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-58176Shared CWE-94
CVE-2026-2287Shared CWE-94
CVE-2024-57061Shared CWE-94
CVE-2025-5120Shared CWE-94
CVE-2025-54063Shared CWE-94
CVE-2024-56448Shared CWE-94
CVE-2026-45374Shared CWE-94
CVE-2025-25467Shared CWE-94
CVE-2026-30741Shared CWE-94
CVE-2025-46059Shared CWE-94

Affected Assets

Checkpoint
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the code injection flaw in OpenAI Codex CLI by applying vendor patches or updates to versions prior to v0.23.0.

prevent

Requires validation of untrusted inputs from project-local .env and .codex/config.toml files to block arbitrary command execution.

prevent

Verifies integrity of configuration files and software before loading to detect modifications enabling malicious code execution.

References