CVE-2025-8667 is a security vulnerability identified in the SkyworkAI DeepResearchAgent software, specifically affecting the function implementations from_code, from_dict, and from_mcp located in the src/tools/tools.py file. The vulnerability is an OS command injection flaw, which allows an attacker to inject and execute arbitrary operating system commands remotely. This type of vulnerability arises when untrusted input is improperly sanitized and passed to system-level command execution functions, enabling attackers to execute malicious commands on the host system. The affected version is indicated by the commit hash 08eb7f8eb9505d0094d75bb97ff7dacc3fa3bbf2, but due to the product’s continuous delivery model with rolling releases, precise versioning details are unavailable. The vendor has not responded to early disclosure attempts, and no patches or updates have been publicly released. The vulnerability has a CVSS 4.0 base score of 5.3, categorized as medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and no privileges required (PR:L), but with low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The continuous delivery and rolling release nature of the product complicate tracking and patching, potentially leaving many deployments vulnerable. The lack of vendor response and absence of patches further exacerbate the risk profile.

For European organizations using SkyworkAI DeepResearchAgent, this vulnerability poses a significant risk. Successful exploitation could allow remote attackers to execute arbitrary OS commands, potentially leading to unauthorized data access, system compromise, lateral movement within networks, or disruption of services. Given the medium CVSS score and the low impact ratings, the immediate damage might be limited but still serious, especially in environments where the DeepResearchAgent is integrated with sensitive research data or critical infrastructure. The absence of authentication requirements and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation in automated attacks. European entities involved in AI research, data analytics, or sectors relying on SkyworkAI’s tools could face confidentiality breaches or operational disruptions. Additionally, the lack of vendor patches means organizations must rely on internal mitigations, increasing operational overhead and risk. The continuous delivery model may also cause inconsistent patch levels across deployments, complicating vulnerability management. Overall, the vulnerability could undermine trust in AI research tools and expose sensitive intellectual property or personal data processed by the affected software.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict network access to the DeepResearchAgent service using firewalls or network segmentation to limit exposure to trusted hosts only. Employ strict input validation and sanitization at the application layer if possible, especially for any user-supplied data processed by the affected functions. Monitor system and application logs for unusual command execution patterns or anomalies indicative of exploitation attempts. Deploy host-based intrusion detection systems (HIDS) to detect suspicious OS command executions. Consider running the DeepResearchAgent in a sandboxed or containerized environment with minimal privileges to limit the impact of potential command injection. Regularly audit and update access controls to ensure only authorized personnel can interact with the service. Engage in active threat intelligence sharing within European cybersecurity communities to stay informed about emerging exploits. Finally, maintain readiness to apply vendor patches promptly once available and consider alternative tools if the risk is deemed unacceptable.