CVE-2025-8665
📋 TL;DR
This critical vulnerability allows remote attackers to execute arbitrary operating system commands through command injection in the Model Context Protocol Handler component of agno-agi agno. Systems running agno up to version 1.7.5 are affected. The vulnerability can be exploited without authentication.
💻 Affected Systems
- agno-agi agno
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with the privileges of the agno process, potentially leading to data theft, system takeover, or lateral movement.
Likely Case
Remote code execution allowing attackers to run commands on the vulnerable system, potentially installing malware, exfiltrating data, or creating backdoors.
If Mitigated
Limited impact if proper network segmentation, least privilege, and input validation are in place, though command injection could still be possible.
🎯 Exploit Status
Proof of concept exploit is publicly available on GitHub, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available as vendor did not respond. Consider workarounds or alternative software.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and sanitization for the command argument in the MCPTools/MultiMCPTools function
Network Access Control
allRestrict network access to the agno service to only trusted sources
🧯 If You Can't Patch
- Isolate the vulnerable system in a restricted network segment with no internet access
- Implement strict firewall rules to limit which systems can communicate with the agno service
🔍 How to Verify
Check if Vulnerable:
Check if agno version is 1.7.5 or earlier by examining the software version or package informationCheck Version:
Check agno version through package manager or by examining the software directlyVerify Fix Applied:
Verify that the vulnerable function has been modified to properly sanitize input or that the software has been updated to a patched version📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns
- Suspicious process creation from agno service
- Error logs showing malformed command inputs
Network Indicators:
- Unexpected outbound connections from agno service
- Traffic to suspicious IPs or domains
SIEM Query:
Search for process execution events where parent process is agno-related and command contains suspicious characters or patterns