CVE-2025-35028: Critical Command Injection in HexStrike AI MCP Server

Overview

CVE-2025-35028 is a critical vulnerability affecting the HexStrike AI MCP (Management and Control Plane) server. This command injection vulnerability allows an attacker to execute arbitrary commands with root privileges on the affected server. Due to the severity and ease of exploitation, immediate action is recommended to mitigate this risk.

Technical Details

The vulnerability resides in the EnhancedCommandExecutor class of the HexStrike AI MCP server. Specifically, when an API endpoint created by this class receives a command-line argument starting with a semicolon (;), the server fails to properly sanitize this input. Consequently, the crafted command is executed directly with the MCP server’s privileges, which are typically root.

The root cause lies in the insufficient input validation and sanitization of command-line arguments passed to the EnhancedCommandExecutor. As of commit 2f3a5512 (September 2025), the default configuration of the MCP server lacks any effective measures to prevent command injection.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 9.1 (CRITICAL). This high score reflects the following factors:

• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: None (PR:N)
• User Interaction: None (UI:N)
• Scope: Changed (S:C)
• Confidentiality Impact: High (C:H)
• Integrity Impact: High (I:H)
• Availability Impact: High (A:H)

The low attack complexity and the lack of required privileges mean that an attacker can easily exploit this vulnerability remotely without any user interaction.

Possible Impact

The exploitation of CVE-2025-35028 can lead to severe consequences, including:

• Full System Compromise: Attackers can gain complete control over the affected server, allowing them to steal sensitive data, modify system configurations, and install malicious software.
• Data Breach: Confidential data stored on the server can be accessed and exfiltrated.
• Denial of Service (DoS): Attackers can disrupt the server’s functionality, making it unavailable to legitimate users.
• Lateral Movement: Compromised servers can be used as a springboard to attack other systems within the network.

Mitigation or Patch Steps

To mitigate the risk associated with CVE-2025-35028, the following actions are recommended:

1. Apply the Patch: The primary mitigation is to apply the official patch released by HexStrike AI. Ensure you are running the latest version of the MCP server that addresses this vulnerability. Contact HexStrike AI support for specific patching instructions.
2. Input Validation and Sanitization: If a patch is not immediately available, implement robust input validation and sanitization mechanisms for all command-line arguments passed to the EnhancedCommandExecutor class. Specifically, filter out or escape any characters that could be used for command injection, such as semicolons (;), pipes (|), and backticks (`).
3. Least Privilege Principle: Review and restrict the privileges assigned to the MCP server. While often necessary to operate as root, carefully examine if a less privileged account can accomplish the required tasks.
4. Network Segmentation: Segment the network to limit the potential impact of a successful attack. Isolate the MCP server from other critical systems to prevent lateral movement.
5. Intrusion Detection and Prevention Systems (IDS/IPS): Implement or update IDS/IPS rules to detect and block attempts to exploit this vulnerability.
6. Web Application Firewall (WAF): Deploy a WAF to filter malicious requests before they reach the MCP server. Configure the WAF to block requests containing command injection payloads.

References

• GCVE-1337-2025-00000000000000000000000000000000000000000000000001111111111111111111111110000000000000000000000000000000000000000000000000000000011 Reference