CVE-2025-59834
Published: 25 September 2025
Summary
CVE-2025-59834 is a critical-severity Command Injection (CWE-77) vulnerability in Srmorete Adb Mcp Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 14.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ADB MCP Server is an MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the server contains a command injection vulnerability (CWE-77, CWE-78) in certain tool definitions and implementations, rated at CVSS 9.8. The flaw stems from insufficient input sanitization when handling commands passed through the MCP interface.
An unauthenticated remote attacker can supply crafted inputs to the affected tools and achieve arbitrary command execution on the host system, resulting in full control over confidentiality, integrity, and availability without requiring user interaction.
The vulnerability was addressed by commit 041729c, as documented in the GitHub security advisory GHSA-54j7-grvr-9xwg, which includes the patch and references to the vulnerable code paths in src/index.ts.
The associated EPSS score has remained flat at 0.0180 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31042
Vulnerability details
ADB MCP Server is a MCP (Model Context Protocol) server for interacting with Android devices through ADB. In versions 0.1.0 and prior, the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part…
more
of some of its MCP Server tool definition and implementation. This issue has been patched via commit 041729c.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp, model context protocol
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in MCP Server tool definition and implementation enables arbitrary command execution, directly facilitating T1059: Command and Scripting Interpreter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs, directly preventing command injection by sanitizing or rejecting malicious payloads in the ADB MCP Server's tool definitions and implementations.
SI-2 mandates timely identification, reporting, and patching of system flaws, directly addressing this command injection vulnerability as demonstrated by the patching commit 041729c.
AC-6 enforces least privilege for processes, limiting the impact of arbitrary command execution achieved through exploitation of the command injection flaw.