Cyber Resilience

CVE-2025-9262

LowPublic PoC

Published: 20 August 2025

Published
20 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0061 70.2th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9262 is a low-severity Command Injection (CWE-77) vulnerability in Wong2 Mcp-Cli. Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9262 is an OS command injection vulnerability (CWE-77, CWE-78) in wong2 mcp-cli version 1.13.0. The flaw resides in the redirectToAuthorization function within the file /src/oauth/provider.js of the oAuth Handler component. This issue allows manipulation that triggers OS command injection and was published on 2025-08-20 with a CVSS v3.1 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation with high complexity and is rated as difficult to exploit, requiring no privileges or user interaction. Attackers can achieve low-level impacts on confidentiality, integrity, and availability, potentially executing arbitrary OS commands through the OAuth handler.

Advisories from VulDB note that the vendor was contacted early about the disclosure but provided no response, and no patches or mitigations are referenced. A proof-of-concept exploit has been published and is available via linked gists, indicating it may be usable by attackers.

EU & UK References

Vulnerability details

A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component oAuth Handler. This manipulation causes os command injection. The attack may be initiated remotely. The attack is considered to…

more

have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote OS command injection (CWE-78) in public-facing OAuth handler directly enables T1190 exploitation and arbitrary command execution via T1059.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7064Shared CWE-77, CWE-78
CVE-2026-6130Shared CWE-77, CWE-78
CVE-2026-7593Shared CWE-77, CWE-78
CVE-2026-7443Shared CWE-77, CWE-78
CVE-2026-7785Shared CWE-77, CWE-78
CVE-2026-5802Shared CWE-77, CWE-78
CVE-2025-11285Shared CWE-77, CWE-78
CVE-2026-6942Shared CWE-78
CVE-2025-59736Shared CWE-77, CWE-78
CVE-2025-44015Shared CWE-77, CWE-78

Affected Assets

wong2
mcp-cli
1.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of all inputs to redirectToAuthorization to reject OS command injection payloads before execution.

prevent

Restricts the OAuth handler process to only necessary functions, disabling shell or command execution capabilities that the flaw would otherwise abuse.

prevent

Limits privileges of the mcp-cli process so that any injected commands cannot perform meaningful actions on the underlying OS.

References