CVE-2025-67511
Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool
Vexday Risk Score
48Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 9.7EPSS 1.8%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Ciclo de vida
09 dic 2025PoC pública
10 dic 2025Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Productos afectados
aliasrobotics · caiPoCs públicas encontradas — 1
githubgithub.com/edoardottt/CVE-2025-67511★ 4⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.