CVE-2025-54074 is a high-severity OS Command Injection vulnerability affecting Cherry Studio, a desktop client developed by CherryHQ that supports multiple large language model (LLM) providers. The vulnerability exists in versions 1.2.5 through 1.5.1 and arises when the client connects to a malicious MCP (Model Communication Protocol) server operating in HTTP Streamable mode. Specifically, the flaw is due to improper neutralization of special elements used in OS commands (CWE-78), allowing an attacker to inject arbitrary OS commands. The attack vector involves an adversary setting up a malicious MCP server with compatible OAuth authorization endpoints to trick victims into establishing a connection. Once connected, the attacker can exploit the injection flaw to execute arbitrary commands on the victim's machine with the privileges of the Cherry Studio client process. This can lead to full system compromise, data theft, or further lateral movement. The vulnerability requires user interaction (connecting to the malicious MCP server) but does not require prior authentication or elevated privileges. The issue has been patched in version 1.5.2 of Cherry Studio. The CVSS 4.0 base score is 7.7, reflecting the network attack vector, low attack complexity, partial user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the potential impact is significant given the ability to execute arbitrary OS commands remotely via a crafted server.

For European organizations, this vulnerability poses a significant risk, especially those using Cherry Studio as part of their AI or LLM integration workflows. Successful exploitation could lead to unauthorized access to sensitive data, disruption of critical AI services, and potential lateral movement within corporate networks. Given the integration with multiple LLM providers, attackers might also manipulate AI-driven processes or exfiltrate proprietary information. The risk is heightened in sectors relying heavily on AI tools, such as finance, healthcare, and technology firms. Additionally, the vulnerability could be leveraged in targeted attacks against organizations collaborating with or developing AI technologies, potentially impacting intellectual property and operational continuity. The requirement for user interaction (connecting to a malicious MCP server) means phishing or social engineering could be used to induce victims to connect, increasing the attack surface. The lack of known exploits in the wild currently provides a window for proactive mitigation.

1. Immediate upgrade to Cherry Studio version 1.5.2 or later, where the vulnerability is patched. 2. Implement strict network controls to restrict connections to only trusted MCP servers, including whitelisting known safe endpoints and blocking unknown or suspicious MCP server addresses. 3. Enforce multi-factor authentication and user training to reduce the risk of social engineering attacks that might trick users into connecting to malicious servers. 4. Monitor network traffic for unusual MCP connection attempts or OAuth authorization flows that deviate from normal patterns. 5. Employ endpoint detection and response (EDR) solutions to detect and respond to suspicious OS command executions originating from Cherry Studio processes. 6. Conduct regular security audits and vulnerability assessments on AI integration tools and their communication protocols. 7. Establish incident response plans specifically addressing AI client compromise scenarios to minimize impact if exploitation occurs.