CVE-2026-25807 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code), affecting TaklaXBR's zai-shell software versions before 9.0.3. The zai-shell is an autonomous SysOps agent designed to manage, repair, and secure complex IT environments. Its P2P terminal sharing feature, invoked via the 'share start' command, opens a TCP socket on port 5757 without any authentication mechanism. This design flaw allows any remote attacker to connect to the socket using a simple socket script. When the zai-shell session is running in --no-ai mode, the attacker can send arbitrary system commands to the host. Although the host user must approve these commands, the approval process lacks content review safeguards, enabling execution of potentially malicious commands with the user's privileges. This bypasses all Sentinel safety checks intended to prevent unauthorized code execution. The vulnerability has a CVSS v3.1 score of 8.8, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), and impacts on confidentiality, integrity, and availability all rated high (C:H/I:H/A:H). No known exploits are reported in the wild yet. The vulnerability was publicly disclosed on February 9, 2026, and fixed in zai-shell version 9.0.3. The lack of authentication on the P2P socket and the ability to inject arbitrary commands make this a critical risk for environments relying on zai-shell for autonomous operations, particularly where remote access is enabled.

The vulnerability allows remote attackers to execute arbitrary system commands on affected zai-shell hosts with the privileges of the logged-in user, potentially leading to full system compromise. This threatens confidentiality by exposing sensitive data accessible to the user account, integrity by allowing unauthorized modification or deletion of files and configurations, and availability by enabling disruptive commands such as service termination or resource exhaustion. For European organizations, especially those in critical infrastructure, finance, or technology sectors relying on zai-shell for automated system operations, this could result in operational disruption, data breaches, and lateral movement within networks. The unauthenticated access to the P2P terminal sharing port increases the attack surface, particularly in environments with exposed or poorly segmented networks. The requirement for user approval reduces but does not eliminate risk, as social engineering or insufficient command review can lead to exploitation. The high CVSS score reflects the significant potential impact and ease of exploitation.

1. Upgrade all zai-shell installations to version 9.0.3 or later, where the vulnerability is fixed. 2. If upgrading immediately is not possible, disable the P2P terminal sharing feature ('share start') to prevent opening the unauthenticated TCP socket on port 5757. 3. Restrict network access to port 5757 using firewalls or network segmentation, allowing only trusted hosts to connect. 4. Implement strict operational policies requiring thorough review of any commands presented for user approval, emphasizing verification of command content before acceptance. 5. Monitor network traffic for unexpected connections to port 5757 and unusual command execution patterns. 6. Educate users and administrators about the risks of approving commands without review, especially in --no-ai mode sessions. 7. Employ endpoint detection and response (EDR) solutions to detect anomalous command execution and lateral movement attempts. 8. Regularly audit and update security controls around autonomous SysOps tools to minimize attack surfaces.