CVE-2025-35028 is an OS command injection vulnerability classified under CWE-78, affecting the HexStrike AI MCP server developed by 0x4m4. The vulnerability stems from the EnhancedCommandExecutor class, which exposes an API endpoint that accepts command-line arguments without proper sanitization. Specifically, if an attacker provides an argument beginning with a semicolon (;), the server concatenates this input into a shell command and executes it directly in the server’s operating system context. Since the MCP server typically runs with root privileges, this allows an attacker to execute arbitrary commands with full system rights. The affected version corresponds to the commit 2f3a5512 from September 2025, and no patches have been published yet. The vulnerability requires no authentication or user interaction, making remote exploitation feasible over the network. The CVSS v3.1 score of 9.1 reflects the critical nature of this flaw, highlighting its high impact on confidentiality and integrity, though availability impact is rated low. While no active exploits have been reported, the simplicity of the injection vector and the high privileges involved make this a significant threat. The vulnerability could be leveraged to deploy malware, exfiltrate sensitive data, or disrupt AI operations. HexStrike AI is used in various AI-driven applications, including automated decision-making and data analysis, increasing the potential impact of a compromise. The lack of input validation and command execution controls in the default configuration exacerbates the risk.

For European organizations, this vulnerability poses a severe risk to systems running HexStrike AI MCP servers, particularly those in critical sectors such as finance, healthcare, energy, and government. Exploitation could lead to unauthorized access to sensitive data, manipulation of AI-driven processes, and full system compromise due to root-level command execution. This could disrupt business operations, cause data breaches, and damage organizational reputation. Given the AI platform’s role in automated decision-making, attackers might alter outputs or inject malicious logic, impacting service integrity and trust. The vulnerability’s network accessibility and lack of authentication requirements increase the likelihood of remote attacks, potentially affecting multiple organizations simultaneously. The absence of known exploits currently provides a window for proactive mitigation, but the critical severity demands immediate attention to prevent future attacks. Additionally, regulatory compliance in Europe, such as GDPR, could be impacted by data breaches resulting from this vulnerability, leading to legal and financial consequences.

1. Monitor 0x4m4 vendor communications closely for official patches or updates addressing CVE-2025-35028 and apply them immediately upon release. 2. Until patches are available, restrict network access to the HexStrike AI MCP server’s API endpoints using firewalls or network segmentation to limit exposure to trusted hosts only. 3. Implement Web Application Firewall (WAF) rules or intrusion prevention systems (IPS) to detect and block command injection patterns, particularly inputs starting with semicolons or other shell metacharacters. 4. Employ strict input validation and sanitization at the application layer to reject or safely handle special characters in command-line arguments. 5. Run the MCP server with the least privilege necessary, avoiding root-level execution where possible, to minimize the impact of potential exploitation. 6. Conduct regular security audits and penetration testing focused on injection vulnerabilities in AI platforms. 7. Establish comprehensive logging and monitoring to detect anomalous command execution or API usage patterns indicative of exploitation attempts. 8. Educate development and operations teams about secure coding practices related to command execution and input handling in AI systems.