Cyber Resilience

CVE-2025-59834

CriticalPublic PoCRCE

Published: 25 September 2025

Published
25 September 2025
Modified
14 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0249 85.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59834 is a critical-severity Command Injection (CWE-77) vulnerability in Srmorete Adb Mcp Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 14.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ADB MCP Server is an MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the server contains a command injection vulnerability (CWE-77, CWE-78) in certain tool definitions and implementations, rated at CVSS 9.8. The flaw stems from insufficient input sanitization when handling commands passed through the MCP interface.

An unauthenticated remote attacker can supply crafted inputs to the affected tools and achieve arbitrary command execution on the host system, resulting in full control over confidentiality, integrity, and availability without requiring user interaction.

The vulnerability was addressed by commit 041729c, as documented in the GitHub security advisory GHSA-54j7-grvr-9xwg, which includes the patch and references to the vulnerable code paths in src/index.ts.

The associated EPSS score has remained flat at 0.0180 with no material rise after disclosure.

EU & UK References

Vulnerability details

ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part…

more

of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection vulnerability in MCP Server tool definition and implementation enables arbitrary command execution, directly facilitating T1059: Command and Scripting Interpreter.

CVEs Like This One

CVE-2025-11491Shared CWE-77, CWE-78
CVE-2026-7064Shared CWE-77, CWE-78
CVE-2026-6130Shared CWE-77, CWE-78
CVE-2025-66401Shared CWE-78
CVE-2025-9262Shared CWE-77, CWE-78
CVE-2026-7593Shared CWE-77, CWE-78
CVE-2026-7443Shared CWE-77, CWE-78
CVE-2026-7785Shared CWE-77, CWE-78
CVE-2026-5802Shared CWE-77, CWE-78
CVE-2025-11490Shared CWE-77, CWE-78

Affected Assets

srmorete
adb mcp server
≤ 0.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs, directly preventing command injection by sanitizing or rejecting malicious payloads in the ADB MCP Server's tool definitions and implementations.

prevent

SI-2 mandates timely identification, reporting, and patching of system flaws, directly addressing this command injection vulnerability as demonstrated by the patching commit 041729c.

prevent

AC-6 enforces least privilege for processes, limiting the impact of arbitrary command execution achieved through exploitation of the command injection flaw.

References