Cyber Posture

CVE-2025-9262

MediumPublic PoC

Published: 20 August 2025

Published
20 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0049 65.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9262 is a medium-severity Command Injection (CWE-77) vulnerability in Wong2 Mcp-Cli. Its CVSS base score is 5.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation
addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Remote OS command injection (CWE-78) in public-facing OAuth handler directly enables T1190 exploitation and arbitrary command execution via T1059.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component oAuth Handler. This manipulation causes os command injection. The attack may be initiated remotely. The attack is considered to…

more

have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-9262 is an OS command injection vulnerability (CWE-77, CWE-78) in wong2 mcp-cli version 1.13.0. The flaw resides in the redirectToAuthorization function within the file /src/oauth/provider.js of the oAuth Handler component. This issue allows manipulation that triggers OS command injection and was published on 2025-08-20 with a CVSS v3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation with high complexity and is rated as difficult to exploit, requiring no privileges or user interaction. Attackers can achieve low-level impacts on confidentiality, integrity, and availability, potentially executing arbitrary OS commands through the OAuth handler.

Advisories from VulDB note that the vendor was contacted early about the disclosure but provided no response, and no patches or mitigations are referenced. A proof-of-concept exploit has been published and is available via linked gists, indicating it may be usable by attackers.

Details

CWE(s)
CWE-77CWE-78

Affected Products

wong2
mcp-cli
1.13.0

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
No AI-related keywords detected.

CVEs Like This One

CVE-2026-7593Shared CWE-77, CWE-78
CVE-2026-6130Shared CWE-77, CWE-78
CVE-2026-7064Shared CWE-77, CWE-78
CVE-2026-7785Shared CWE-77, CWE-78
CVE-2026-7443Shared CWE-77, CWE-78
CVE-2026-5802Shared CWE-77, CWE-78
CVE-2025-11285Shared CWE-77, CWE-78
CVE-2025-1676Shared CWE-77, CWE-78
CVE-2026-7061Shared CWE-77, CWE-78
CVE-2025-11491Shared CWE-77, CWE-78

References