Cyber Resilience

CVE-2025-54074

HighPublic PoCRCE

Published: 13 August 2025

Published
13 August 2025
Modified
02 December 2025
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1261 94.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54074 is a high-severity OS Command Injection (CWE-78) vulnerability in Cherry-Ai Cherry Studio. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 IA-9 (Service Identification and Authentication) and SI-10 (Information Input Validation).

Deeper analysis

Cherry Studio is a desktop client supporting multiple LLM providers and is affected by an OS command injection vulnerability (CWE-78) in versions 1.2.5 through 1.5.1. The flaw occurs during connection to an MCP server operating in HTTP Streamable mode, where the client fails to safely handle responses from a malicious authorization server endpoint.

An attacker who controls a compatible MCP server can exploit the issue by crafting OAuth authorization responses that inject arbitrary OS commands. Victims are tricked into initiating a connection to the malicious server, after which the attacker can achieve code execution on the client system with impacts to confidentiality, integrity, and availability.

The vulnerability is addressed in the patch released as version 1.5.2. The corresponding GitHub security advisory and commit 40f9601 document the fix and recommend that users upgrade immediately. The EPSS score has remained flat at 0.1261 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup…

more

a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The OS command injection vulnerability in Cherry Studio client enables adversaries to execute arbitrary OS commands (T1059) by tricking users into connecting to a malicious MCP server, facilitating exploitation for client-side code execution (T1203).

CVEs Like This One

CVE-2025-54382Same product: Cherry-Ai Cherry Studio
CVE-2025-54063Same product: Cherry-Ai Cherry Studio
CVE-2025-61591Shared CWE-78
CVE-2025-64106Shared CWE-78
CVE-2026-26029Shared CWE-78
CVE-2026-26331Shared CWE-78
CVE-2025-6514Shared CWE-78
CVE-2026-25546Shared CWE-78
CVE-2025-65480Shared CWE-78
CVE-2024-14010Shared CWE-78

Affected Assets

cherry-ai
cherry studio
1.2.5 — 1.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation through patching to version 1.5.2, which fixes the OS command injection flaw.

prevent

Prevents OS command injection by validating and sanitizing untrusted inputs received from MCP servers in HTTP Streamable mode.

prevent

Blocks connections to malicious MCP servers by requiring authentication of external LLM provider services before establishing sessions.

References