CVE-2025-58062 is a high-severity OS command injection vulnerability (CWE-78) found in the openmcp-client, a Visual Studio Code plugin developed by LSTM-Kirigaya for MCP developers. This vulnerability affects versions prior to 0.1.12 on Windows platforms. The issue arises when a user connects to a maliciously controlled MCP server that provisions a crafted authorization server endpoint. This endpoint can exploit improper neutralization of special elements in the open() invocation within the plugin, allowing an attacker to execute arbitrary operating system commands on the client machine. The attack vector requires the user to connect to an attacker-controlled MCP server, which then silently triggers the OS command injection without explicit user awareness. The vulnerability has been patched in version 0.1.12. The CVSS 4.0 base score is 7.3, reflecting a high severity level. The vector metrics indicate network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:A), and partial impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). No known exploits are currently reported in the wild. This vulnerability is critical because it allows remote code execution on client systems through a trusted development tool, potentially compromising developer environments and sensitive codebases.

For European organizations, especially those involved in software development using Visual Studio Code and MCP frameworks, this vulnerability poses a significant risk. Compromise of developer workstations can lead to unauthorized access to source code, intellectual property theft, insertion of malicious code, and lateral movement within corporate networks. Since the vulnerability requires connection to a malicious MCP server, targeted supply chain or social engineering attacks could be employed to trick developers into connecting to attacker-controlled endpoints. This could impact confidentiality of proprietary code and integrity of software products under development. Additionally, compromised developer machines could be leveraged as footholds for broader network intrusion, affecting availability of critical development infrastructure. Organizations with remote or hybrid developer teams using Windows platforms are particularly at risk. The silent nature of the attack increases the likelihood of undetected compromise, complicating incident response and forensic investigations.

1. Immediate upgrade: Ensure all users of the openmcp-client plugin upgrade to version 0.1.12 or later, where the vulnerability is patched. 2. Network controls: Restrict connections to trusted MCP servers only, using network segmentation, firewall rules, or VPNs to prevent connections to untrusted or unknown servers. 3. Endpoint protection: Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous command execution patterns on developer machines. 4. User awareness: Train developers to verify MCP server endpoints before connecting and to report suspicious behavior. 5. Code signing and integrity checks: Verify the integrity and authenticity of plugins and related tools to prevent tampering. 6. Monitoring and logging: Implement detailed logging of plugin network activity and command executions to detect potential exploitation attempts. 7. Incident response readiness: Prepare playbooks for rapid containment and remediation if exploitation is suspected, including isolating affected machines and conducting forensic analysis. 8. Limit privileges: Run development tools with least privilege necessary to reduce impact of potential command injection.