CVE-2025-58062
Published: 28 August 2025
Summary
CVE-2025-58062 is a high-severity OS Command Injection (CWE-78) vulnerability in Google (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28661
Vulnerability details
LSTM-Kirigaya's openmcp-client is a vscode plugin for mcp developer. Prior to version 0.1.12, when users on a Windows platform connect to an attacker controlled MCP server, attackers could provision a malicious authorization server endpoint to silently achieve an OS command…
more
injection attack in the open() invocation, leading to client system compromise. This issue has been patched in version 0.1.12.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the VSCode plugin allows attackers controlling an MCP server to trigger OS command injection via a malicious authorization endpoint during connection, enabling exploitation for client-side code execution and abuse of Windows Command Shell.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.