A high-severity vulnerability has been identified in multiple products from the vendor "Using" related to its Codex CLI tool. When an operator runs this tool in a malicious directory, an attacker can exploit it to overwrite any file on the system, which can lead to a denial of service or a complete system takeover via remote code execution. Due to the severity and potential for full compromise, immediate patching of affected systems is strongly recommended.

The vulnerability exists within the "Using Codex CLI" tool when executed in workspace-write mode. The tool fails to properly validate and sanitize file paths, specifically when encountering symbolic links (symlinks). An attacker can craft a malicious context, such as a Git repository or a local directory, containing a symlink that points to a sensitive file or location outside of the intended current working directory. When a user or automated system runs the Codex CLI in this directory, the tool will follow the symlink and write content to the linked destination, leading to an arbitrary file overwrite. By targeting critical system files like shell configuration scripts (.bashrc), SSH authorized keys, or system binaries, an attacker can leverage this file overwrite capability to achieve remote code execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the affected system's confidentiality, integrity, and availability. The primary business risks include a full system compromise, allowing an attacker to exfiltrate sensitive data, install persistent malware or ransomware, or use the compromised machine to pivot to other systems within the corporate network. In environments where the Codex CLI is used in automated CI/CD pipelines, this vulnerability could be triggered by a malicious code commit, potentially leading to a widespread compromise of critical development and production infrastructure.

Immediate Action: Apply the vendor-supplied security patches immediately, prioritizing internet-facing systems, developer workstations, and CI/CD servers where the Codex CLI tool is utilized. After patching, review system access logs and file integrity monitoring alerts for any signs of suspicious file modifications that may have occurred prior to remediation.

Proactive Monitoring:

• Log Analysis: Monitor for executions of the Codex CLI tool, paying close attention to processes running in workspace-write mode. Scrutinize logs for file write operations that target locations outside of the expected project directories.
• File Integrity Monitoring (FIM): Use FIM solutions to detect and alert on unauthorized changes to critical system files, such as /etc/passwd, /etc/shadow, /bin/, /usr/bin/, and user-specific startup scripts (e.g., ~/.bashrc, ~/.profile).
• Endpoint Detection and Response (EDR): Monitor for suspicious process chains where the Codex CLI process spawns unexpected shells or executes system commands.

Compensating Controls: If patching is not immediately feasible, implement the following controls to mitigate risk:

• Sandboxing: Run the Codex CLI tool within a containerized or sandboxed environment to restrict its file system access to a limited scope.
• Least Privilege: Ensure the tool is executed by a low-privilege user account that does not have write permissions to critical system directories.
• Policy Control: Implement policies that prevent developers and automated systems from cloning or operating on code from untrusted or unverified sources.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for remote code execution, this vulnerability poses a significant threat to the organization. We strongly recommend that all system administrators prioritize the immediate deployment of the vendor's security patches across all affected assets. Although CVE-2025-55345 is not currently on the CISA KEV (Known Exploited Vulnerabilities) list, its severity makes it a prime candidate for future inclusion. Proactive patching is the most effective strategy to prevent exploitation. If patching is delayed, the compensating controls outlined above must be implemented without delay to reduce the attack surface.