Cyber Resilience

CVE-2026-25807

HighPublic PoCRCE

Published: 09 February 2026

Published
09 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0064 45.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25807 is a high-severity Code Injection (CWE-94) vulnerability in Taklaxbr Zai Shell. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-25807 affects ZAI Shell, an autonomous SysOps agent designed to navigate, repair, and secure complex environments, in versions prior to 9.0.3. The vulnerability resides in the P2P terminal sharing feature, invoked via the "share start" command, which opens a TCP socket on port 5757 without any authentication mechanism. This exposes the socket to remote connections, enabling potential code injection as classified under CWE-94, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this by connecting to the exposed port 5757 using a simple socket script, without requiring privileges or authentication. When ZAI Shell is running in --no-ai mode, the attacker can send arbitrary system commands through the P2P session. If the host user approves the command without reviewing its contents, it executes directly with the user's privileges, bypassing all Sentinel safety checks and potentially leading to high confidentiality, integrity, and availability impacts.

The vulnerability is fixed in ZAI Shell version 9.0.3. Mitigation details are available in the GitHub security advisory (GHSA-6pjj-r955-34rr), the release notes for v9.0.3, and the fixing commit (a4ea8525d912f55d6e2f09b2869966c52d189a4a), which security practitioners should review for patch implementation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ZAI Shell is an autonomous SysOps agent designed to navigate, repair, and secure complex environments. Prior to 9.0.3, the P2P terminal sharing feature (share start) opens a TCP socket on port 5757 without any authentication mechanism. Any remote attacker can…

more

connect to this port using a simple socket script. An attacker who connects to a ZAI-Shell P2P session running in --no-ai mode can send arbitrary system commands. If the host user approves the command without reviewing its contents, the command executes directly with the user's privileges, bypassing all Sentinel safety checks. This vulnerability is fixed in 9.0.3.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The vulnerability exposes an unauthenticated public-facing TCP socket (port 5757) exploitable remotely for initial access (T1190) and enables arbitrary system command execution via command injection (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2287Shared CWE-94
CVE-2026-31040Shared CWE-94
CVE-2026-26045Shared CWE-94
CVE-2024-11600Shared CWE-94
CVE-2025-67979Shared CWE-94
CVE-2026-6543Shared CWE-94
CVE-2025-6000Shared CWE-94
CVE-2024-54756Shared CWE-94
CVE-2026-42898Shared CWE-94
CVE-2026-30741Shared CWE-94

Affected Assets

taklaxbr
zai shell
≤ 9.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-17 requires authentication, authorization, and monitoring for remote access mechanisms, directly mitigating the unauthenticated TCP socket opened by the P2P terminal sharing feature.

prevent

SC-41 restricts access to specific ports like 5757, preventing remote attackers from connecting to the exposed P2P socket.

prevent

CM-7 prohibits or restricts non-essential functions, ports, and services such as the vulnerable P2P sharing feature to minimize attack surface.

References