CVE-2026-25807
Published: 09 February 2026
Summary
CVE-2026-25807 is a high-severity Code Injection (CWE-94) vulnerability in Taklaxbr Zai Shell. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-17 requires authentication, authorization, and monitoring for remote access mechanisms, directly mitigating the unauthenticated TCP socket opened by the P2P terminal sharing feature.
SC-41 restricts access to specific ports like 5757, preventing remote attackers from connecting to the exposed P2P socket.
CM-7 prohibits or restricts non-essential functions, ports, and services such as the vulnerable P2P sharing feature to minimize attack surface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes an unauthenticated public-facing TCP socket (port 5757) exploitable remotely for initial access (T1190) and enables arbitrary system command execution via command injection (T1059).
NVD Description
ZAI Shell is an autonomous SysOps agent designed to navigate, repair, and secure complex environments. Prior to 9.0.3, the P2P terminal sharing feature (share start) opens a TCP socket on port 5757 without any authentication mechanism. Any remote attacker can…
more
connect to this port using a simple socket script. An attacker who connects to a ZAI-Shell P2P session running in --no-ai mode can send arbitrary system commands. If the host user approves the command without reviewing its contents, the command executes directly with the user's privileges, bypassing all Sentinel safety checks. This vulnerability is fixed in 9.0.3.
Deeper analysisAI
CVE-2026-25807 affects ZAI Shell, an autonomous SysOps agent designed to navigate, repair, and secure complex environments, in versions prior to 9.0.3. The vulnerability resides in the P2P terminal sharing feature, invoked via the "share start" command, which opens a TCP socket on port 5757 without any authentication mechanism. This exposes the socket to remote connections, enabling potential code injection as classified under CWE-94, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this by connecting to the exposed port 5757 using a simple socket script, without requiring privileges or authentication. When ZAI Shell is running in --no-ai mode, the attacker can send arbitrary system commands through the P2P session. If the host user approves the command without reviewing its contents, it executes directly with the user's privileges, bypassing all Sentinel safety checks and potentially leading to high confidentiality, integrity, and availability impacts.
The vulnerability is fixed in ZAI Shell version 9.0.3. Mitigation details are available in the GitHub security advisory (GHSA-6pjj-r955-34rr), the release notes for v9.0.3, and the fixing commit (a4ea8525d912f55d6e2f09b2869966c52d189a4a), which security practitioners should review for patch implementation guidance.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai