Critical Command Injection Vulnerability in Cybersecurity AI (CAI) Framework
A critical command injection vulnerability, tracked as CVE-2025-67511, has been identified in the open-source Cybersecurity AI (CAI) framework, which is used for building and deploying AI-powered offensive and defensive automation. The flaw exists in the run_ssh_command_with_credentials() function, where only the password and command inputs are properly escaped, leaving the username, host, and port parameters vulnerable to injection. This allows attackers to craft malicious inputs that can execute arbitrary shell commands via AI agents, potentially compromising affected systems remotely. The vulnerability affects all CAI versions up to and including 0.5.9, and no official fix or patch is available as of the latest reports.
The issue is classified as critical, with a CVSS v3.1 base score of 9.6 or higher, reflecting the high risk to confidentiality, integrity, and availability. Exploitation requires user interaction, likely through the AI agent's command execution interface, but does not require authentication or elevated privileges. Security advisories recommend that organizations using CAI implement compensating controls and monitor for suspicious activity, as the vulnerability is remotely exploitable and no mitigation has been released. The lack of a patch increases the urgency for defensive measures to prevent potential exploitation in production environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Technical advisories and PoC details published for CVE-2025-67511
By the time of public publication, security advisories and technical details, including GitHub proof-of-concept exploit information, had been made available by researchers and referenced by vendors. The disclosures emphasized the vulnerability's critical severity, remote exploitability, and the absence of an official patch.
CVE-2025-67511 disclosed in Alias Robotics CAI
A critical command injection vulnerability, CVE-2025-67511, was disclosed in Cybersecurity AI (CAI) versions 0.5.9 and below. The flaw affects the run_ssh_command_with_credentials() function, where unsanitized username, host, and port parameters can enable remote command execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2025-67511 - Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool
cvefeed.io
Open sourceCVE-2025-67511 | Tenable®
tenable.com
Open sourceCVE-2025-67511: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in aliasrobotics cai
radar.offseq.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical OS Command Injection Patched in Splunk AI Toolkit
Splunk disclosed a critical vulnerability in **Splunk AI Toolkit** that allows OS command injection through the `btool` Configuration Helper, affecting versions earlier than **5.7.4**. Tracked as **`CVE-2026-20266`** and rated **CVSS 9.1**, the flaw stems from unsafe shell execution that can let a user with the Splunk **admin** role run arbitrary commands on the host running Splunk Enterprise, creating a direct path to host compromise. Splunk also fixed **`CVE-2026-20265`**, a lower-severity insecure default domain allowlist issue rated **CVSS 4.3** that could allow a low-privileged user to trigger outbound HTTP requests and potentially exfiltrate data to an attacker-controlled server. The Canadian Centre for Cyber Security highlighted the vendor advisory in **AV26-614** and urged administrators to review Splunk’s guidance and upgrade to **version 5.7.4 or later**; public reporting said there was **no confirmed exploitation in the wild** at disclosure time.
Jun 29, 2026
ServiceNow AI Platform Flaw (CVE-2025-12420) Enables Unauthenticated User Impersonation
ServiceNow disclosed and remediated a **critical** vulnerability in its AI Platform, tracked as **CVE-2025-12420** (CVSS **9.3**), that could allow an **unauthenticated attacker to impersonate legitimate users** and perform actions with the victim’s entitlements. The issue impacts ServiceNow AI features including **Now Assist AI Agents** and the **Virtual Agent API**; ServiceNow reported deploying fixes to most hosted instances in October 2025 and providing updates to partners and self-hosted customers, and stated it has **no evidence of exploitation** prior to remediation. Research associated with the disclosure highlighted broader risks in enterprise AI agent deployments, including the potential for **second-order prompt injection** when default settings and agent-to-agent capabilities (e.g., *agent discovery*) are not tightly controlled. In testing described by the reporting, low-privileged users could embed malicious instructions into data fields later processed by higher-privileged AI agents, potentially leading to unauthorized access or changes; customers were advised to upgrade to patched releases (including *Now Assist AI Agents* `5.1.18+` / `5.2.19+` and *Virtual Agent API* `3.15.2+` / `4.0.4+`) and to apply relevant security updates across hosted and self-managed environments.
Jun 29, 2026
PromptPwnd Prompt Injection Vulnerability in AI-Driven CI/CD Pipelines
Aikido Security researchers have identified a new vulnerability class, dubbed **PromptPwnd**, that affects automated CI/CD pipelines such as GitHub Actions and GitLab CI/CD when integrated with AI agents like Gemini CLI, Claude Code, OpenAI Codex, and GitHub AI Inference. The vulnerability arises from prompt injection attacks, where untrusted user input—such as bug report titles—can be embedded into AI prompts, causing the AI agent to execute privileged actions, leak secrets, or manipulate workflows. This attack chain has been confirmed as practical and reproducible, with at least five Fortune 500 companies exposed, including a notable case involving Google’s Gemini CLI repository, which was patched within four days of responsible disclosure. Aikido Security has open-sourced Opengrep rules to help organizations detect this vulnerability in their codebases and recommends several mitigation steps: restricting the toolset available to AI agents, avoiding the injection of untrusted input into prompts, treating AI output as untrusted, and limiting the blast radius of leaked tokens. This is the first confirmed real-world demonstration that AI prompt injection can compromise CI/CD pipelines, highlighting the growing risks of integrating AI automation into software supply chains. The discovery follows recent attacks like Shai-Hulud 2.0, underscoring the urgent need for robust security controls in environments leveraging AI-driven automation.
Jun 29, 2026