CVE-2025-66404

MediumPublic PoCRCE

Published: 03 December 2025

Published

03 December 2025

Modified

16 December 2025

KEV Added

—

Patch

—

CVSS Score 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0032 55.2th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66404 is a medium-severity Command Injection (CWE-77) vulnerability in Suyogs Mcp-Server-Kubernetes. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 44.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the lack of input validation on user-provided string commands passed to sh -c, preventing shell metacharacter interpretation and command injection.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation, such as patching to version 2.9.8, to eliminate the specific command injection vulnerability in exec_in_pod.

SI-9 Information Input Restrictions good match

prevent

Restricts inputs to the exec_in_pod tool to safe formats like arrays only, blocking string-based shell metacharacter exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1609 Container Administration Command Execution

Adversaries may abuse a container administration service to execute commands within a container.

attack.mitre.org →

Why these techniques?

Vulnerability enables shell command injection via unsanitized string input to 'sh -c' in exec_in_pod tool (T1059.004: Unix Shell). Facilitates abuse of container administration commands for arbitrary execution in Kubernetes pods (T1609: Container Administration Command).

NVD Description

MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands…

in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.

Deeper analysisAI

CVE-2025-66404 is a command injection vulnerability (CWE-77) in the exec_in_pod tool of the mcp-server-kubernetes MCP Server, which connects to and manages Kubernetes clusters. In versions prior to 2.9.8, the tool accepts user-provided commands in both array and string formats. String-format commands are passed directly to shell interpretation via sh -c without input validation, enabling interpretation of shell metacharacters.

The vulnerability has a CVSS v3.1 base score of 6.4 (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H), indicating exploitation over the network but requiring high attack complexity, high privileges, and user interaction. Attackers with sufficient privileges can exploit it through direct command injection by supplying malicious strings or via indirect prompt injection attacks, where AI agents execute unintended commands on Kubernetes pods without explicit user intent, potentially leading to high-impact confidentiality, integrity, and availability compromises.

The vulnerability is fixed in version 2.9.8, as detailed in the project's GitHub security advisory (GHSA-wvxp-jp4w-w8wg) and the corresponding commit (d091107ff92d9ffad1b3c295092f142d6578c48b). Security practitioners should upgrade to 2.9.8 or later and review usage of the exec_in_pod tool, particularly in environments integrating AI agents.

This issue highlights risks in AI/ML-adjacent tools interfacing with infrastructure like Kubernetes, where prompt injection can bypass intended controls. No public evidence of real-world exploitation is available at publication.

Details

CWE(s): CWE-77

Affected Products

suyogs

mcp-server-kubernetes

≤ 2.9.8

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Parse error: ```json { "category": "AI Agent Protocols and Integrations", "reason": "The CVE affects MCP Server Kubernetes, a server used by AI agents to manage Kubernetes clusters. The vulnerability enables p

CVEs Like This One

CVE-2026-39884Same product: Suyogs Mcp-Server-Kubernetes

CVE-2025-54424Shared CWE-77

CVE-2025-67511Shared CWE-77

CVE-2025-61489Shared CWE-77

CVE-2026-22785Shared CWE-77

CVE-2026-41497Shared CWE-77

CVE-2026-30625Shared CWE-77

CVE-2026-30615Shared CWE-77

CVE-2025-50428Shared CWE-77

CVE-2026-41500Shared CWE-77

References

https://github.com/Flux159/mcp-server-kubernetes/commit/d091107ff92d9ffad1b3c295092f142d6578c48b
Patch · security-advisories@github.com
https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0