CVE-2025-35028 is an OS command injection vulnerability classified under CWE-78, affecting the HexStrike AI MCP server developed by 0x4m4. The vulnerability exists because the EnhancedCommandExecutor class fails to properly sanitize command-line arguments passed to its API endpoint. Specifically, if an attacker provides an argument beginning with a semicolon (;), the server concatenates this input directly into an OS command string and executes it with the MCP server’s normal privileges, which are typically root-level. This lack of input validation allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system, compromising confidentiality and integrity of the system. The vulnerability was identified in the codebase as of commit 2f3a5512 in September 2025 and publicly disclosed on November 30, 2025. The CVSS v3.1 score of 9.1 reflects the vulnerability’s network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), with no impact on availability (A:N). Although no exploits have been observed in the wild yet, the ease of exploitation and severity make this a critical threat. The vulnerability affects all deployments running the specified vulnerable commit version of HexStrike AI MCP server. The absence of patches or mitigations in the provided data suggests that organizations must proactively implement input validation or disable the vulnerable API endpoint to prevent exploitation.

For European organizations, the impact of CVE-2025-35028 is significant. HexStrike AI MCP server is likely used in AI-driven applications and infrastructure, potentially including critical sectors such as finance, healthcare, manufacturing, and government services. Exploitation could lead to unauthorized command execution with root privileges, enabling attackers to exfiltrate sensitive data, modify or destroy data, disrupt AI operations, or establish persistent backdoors. This compromises confidentiality and integrity, potentially causing operational disruptions and reputational damage. Given the high privileges involved, attackers could pivot within networks to escalate attacks or disrupt critical services. The lack of authentication and user interaction requirements increases the risk of automated exploitation attempts. European data protection regulations such as GDPR impose strict requirements on data security; a breach resulting from this vulnerability could lead to regulatory penalties and loss of customer trust. Organizations relying on HexStrike AI MCP server must assess exposure and prioritize remediation to mitigate these risks.

1. Immediately audit all HexStrike AI MCP server deployments to identify vulnerable versions matching commit 2f3a5512 or earlier. 2. Implement strict input validation and sanitization on all command-line arguments passed to the EnhancedCommandExecutor API endpoint, explicitly rejecting or escaping special characters such as semicolons. 3. If possible, disable or restrict access to the EnhancedCommandExecutor API endpoint until a vendor patch or official fix is released. 4. Employ network-level controls such as firewall rules or API gateways to limit access to the MCP server’s management interfaces to trusted administrators and internal networks only. 5. Monitor logs and network traffic for unusual command execution patterns or unexpected API calls indicative of exploitation attempts. 6. Engage with the vendor 0x4m4 for updates on patches or security advisories and apply them promptly once available. 7. Conduct penetration testing and code reviews focusing on command injection vectors in AI infrastructure components. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions capable of detecting and blocking command injection attempts in real time.