Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-61260 -- CVSS 9.8 Vulnerability Briefing

CVE-2025-61260 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2025-61260 is a remote code execution vulnerability in OpenAI Codex CLI versions 0.23.0 and earlier, triggered through maliciously crafted Model Context Protocol (MCP) configuration files.

Technical Detail

The flaw arises from insufficient validation of MCP configuration files processed by the Codex CLI tool, allowing an attacker to embed directives that cause arbitrary code execution when a user loads or interacts with a malicious configuration. The attack vector is client-side: a victim must open or process a weaponized MCP config file, which could be delivered via a repository, shared project workspace, or social engineering. Successful exploitation results in code execution within the context of the user running the CLI, potentially enabling full system compromise, credential theft, or lateral movement depending on the user's privilege level.

Exploitation Status

No known exploit has been publicly documented or confirmed as of this writing. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as no known exploit, meaning no public proof-of-concept or observed in-the-wild activity has been recorded. However, the critical CVSS score of 9.8 and the straightforward nature of the attack vector warrant proactive remediation without waiting for confirmed exploitation.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence. Given that Codex CLI is widely used by software developers and AI-assisted development workflows, opportunistic actors targeting developer toolchains and software supply chains represent a plausible risk profile, but this is not confirmed attribution.

What To Do

Organizations and individuals using OpenAI Codex CLI should upgrade immediately to a version released after 0.23.0 that addresses this vulnerability. Until a patch is applied, users should avoid loading MCP configuration files from untrusted or unverified sources, and treat any externally supplied configuration files as potentially hostile. Security teams should audit CI/CD pipelines and developer workstations for Codex CLI installations and enforce version controls. Detection efforts should focus on anomalous process spawning from CLI tool parent processes and unexpected network connections initiated during configuration file parsing. Given the critical severity rating, this should be treated as a high-priority patch in any environment where Codex CLI is deployed.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →