CVE-2025-67511

CriticalPublic PoCRCE

Published: 11 December 2025

Published

11 December 2025

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0010 27.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67511 is a critical-severity Command Injection (CWE-77) vulnerability in Aliasrobotics Cybersecurity Ai. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the command injection vulnerability by requiring validation of all inputs, including unescaped username, host, and port parameters in run_ssh_command_with_credentials().

SI-2 Flaw Remediation good match

prevent

Requires monitoring for vulnerabilities like CVE-2025-67511 and timely remediation through patching, as indicated by the available GitHub commit.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on AI agents and the CAI process to limit the scope and impact of arbitrary command execution resulting from the injection.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The command injection vulnerability in run_ssh_command_with_credentials() via unescaped username, host, and port parameters enables arbitrary shell command execution on the host running CAI, mapping to T1059 (Command and Scripting Interpreter) and specifically T1059.004 (Unix Shell) given the SSH context.

NVD Description

Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs…

are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.

Deeper analysisAI

CVE-2025-67511 is a command injection vulnerability (CWE-77) in the open-source Cybersecurity AI (CAI) framework, which supports building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are affected specifically in the run_ssh_command_with_credentials() function, accessible to AI agents. While password and command inputs are escaped to prevent shell injection, the username, host, and port parameters remain unescaped and thus injectable.

The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and high impacts across confidentiality, integrity, and availability. Attackers can exploit it by tricking users or AI agents into supplying malicious values for the injectable fields, enabling arbitrary command execution on the host running CAI.

Published on 2025-12-11, the advisory notes no fix was available at that time. A related commit (https://github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c) addresses the issue, with further details in the GitHub security advisory (https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h) and a technical blog post (https://www.hacktivesecurity.com/blog/2025/12/10/cve-2025-67511-tricking-a-security-ai-agent-into-pwning-itself).

Details

CWE(s): CWE-77

Affected Products

aliasrobotics

cybersecurity ai

≤ 0.5.9

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Cybersecurity AI (CAI) is a framework for building and deploying AI-powered automation with functions available to AI agents, such as run_ssh_command_with_credentials for SSH integrations, fitting AI agent protocols and integrations.

CVEs Like This One

CVE-2026-30625Shared CWE-77

CVE-2025-61489Shared CWE-77

CVE-2025-61492Shared CWE-77

CVE-2026-30616Shared CWE-77

CVE-2026-30624Shared CWE-77

CVE-2025-66404Shared CWE-77

CVE-2026-30615Shared CWE-77

CVE-2026-22688Shared CWE-77

CVE-2025-54424Shared CWE-77

CVE-2026-22785Shared CWE-77

References

https://github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c
Patch · security-advisories@github.com
https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h
Exploit, Vendor Advisory · security-advisories@github.com
https://www.hacktivesecurity.com/blog/2025/12/10/cve-2025-67511-tricking-a-security-ai-agent-into-pwning-itself
Exploit, Press/Media Coverage, Third Party Advisory · security-advisories@github.com