CVE-2025-67510
Published: 10 December 2025
Summary
CVE-2025-67510 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Neuron-Ai Neuron. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-67510 is a high-severity vulnerability (CVSS 9.4, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) in Neuron, a PHP framework for creating and orchestrating AI agents. It affects versions 2.8.11 and below, specifically the MySQLWriteTool component, which executes arbitrary SQL queries supplied by the caller via PDO::prepare() and execute() without semantic restrictions. Although aligned with its "write tool" purpose, this design exposes risks in LLM/agent contexts where unfiltered SQL can lead to destructive actions, mapped to CWEs-250 (Execution with Unnecessary Privileges) and CWE-284 (Improper Access Control).
Remote attackers require no privileges (PR:N) and can exploit the issue over the network (AV:N) with low complexity by using prompt injection or indirect prompt manipulation against agents exposed to untrusted inputs. If the tool runs with a database user possessing broad permissions, this enables execution of harmful queries like DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements, potentially causing high integrity (I:H) and availability (A:H) impacts with limited confidentiality exposure (C:L).
The issue is addressed in Neuron version 2.8.12. Mitigation involves upgrading immediately, particularly for deployments with MySQLWriteTool enabled on agents handling untrusted data or using high-privilege DB credentials. Key resources include the fixing commit (https://github.com/neuron-core/neuron-ai/commit/44bab85d92bf162898ee48d0bcef6ba0d29b59c9), release notes (https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12), and GitHub security advisory (https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777c).
This vulnerability underscores AI/ML-specific risks in agent frameworks, where LLM-driven tool calls can amplify privilege misuse without traditional input sanitization. No public evidence of real-world exploitation is available as of publication on 2025-12-10.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-202170
Vulnerability details
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”),…
more
but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, llm, prompt injection
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary SQL execution through prompt injection in an exposed AI agent, facilitating exploitation of public-facing applications (T1190), data collection from databases (T1213.006), stored data manipulation via destructive or altering queries (T1565.001), and data destruction (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation through upgrading to Neuron version 2.8.12, which addresses the arbitrary SQL execution flaw.
Limits damage from arbitrary SQL execution by enforcing least privilege on the database user, preventing destructive queries like DROP TABLE or privilege escalations per CWE-250.
Prevents prompt injection leading to harmful SQL by validating and sanitizing inputs to the MySQLWriteTool, enforcing semantic restrictions on executed queries.