CVE-2025-67509 is a code injection vulnerability classified under CWE-94 affecting neuron-core's neuron-ai PHP framework versions 2.8.11 and below. The vulnerability resides in the MySQLSelectTool component, which is designed to perform read-only SQL queries for AI agent orchestration. The tool attempts to validate input by checking the first SQL keyword (e.g., SELECT) and filtering forbidden keywords to prevent write operations. However, this validation is insufficient as it does not block SQL clauses like INTO OUTFILE or INTO DUMPFILE, which can be used to write arbitrary files to the database server's filesystem. An attacker who can influence the input to this tool—such as via prompt injection through a publicly accessible AI agent endpoint—can exploit this flaw to write files if the database user has the FILE privilege and the server configuration allows writing to locations accessible by the attacker, such as web server directories. This can lead to arbitrary file creation, potentially enabling remote code execution or persistent backdoors. The vulnerability requires no authentication or user interaction and is remotely exploitable over the network. The CVSS v3.1 score is 8.2 (high severity), reflecting the ease of exploitation and significant impact on integrity. The issue was publicly disclosed on December 10, 2025, and fixed in neuron-ai version 2.8.12. No known exploits in the wild have been reported yet.

For European organizations, this vulnerability poses a significant risk to the integrity of systems running neuron-ai versions prior to 2.8.12. Successful exploitation can allow attackers to write arbitrary files on database servers, potentially leading to remote code execution, data manipulation, or persistent backdoors. This can compromise sensitive data, disrupt AI agent operations, and undermine trust in AI-driven services. Organizations relying on neuron-ai for AI orchestration, especially those exposing agent endpoints publicly, face elevated risk. The impact is heightened if the database user has FILE privileges and the server permits writing to web-accessible directories, which could lead to website defacement, malware hosting, or lateral movement within networks. Given the remote, unauthenticated exploit vector, attackers can target vulnerable systems at scale. The confidentiality impact is limited (CVSS indicates low), but integrity impact is high, and availability is not directly affected. The threat is particularly relevant for sectors with AI deployments in production, including finance, healthcare, and critical infrastructure within Europe.

European organizations should immediately upgrade neuron-ai to version 2.8.12 or later to apply the official fix. Until patching is complete, restrict or remove the FILE privilege from MySQL/MariaDB accounts used by neuron-ai to prevent file write operations. Review and harden database server configurations to disallow writing files to web-accessible or sensitive directories. Implement strict input validation and sanitization on all AI agent endpoints to prevent prompt injection attacks that could influence SQL queries. Monitor logs for suspicious SQL queries containing INTO OUTFILE or similar clauses. Employ network segmentation to isolate database servers and limit exposure of AI agent endpoints to trusted networks or authenticated users. Conduct regular security audits of AI orchestration frameworks and database permissions. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious SQL payloads targeting this vulnerability.