Cyber Posture

CVE-2025-11490

MediumPublic PoC

Published: 08 October 2025

Published
08 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0015 35.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

Security Summary

CVE-2025-11490 is an OS command injection vulnerability affecting wonderwhy-er DesktopCommanderMCP versions up to 0.2.13. The issue resides in the extractBaseCommand function within the src/command-manager.ts file of the Absolute Path Handler component. Manipulation of this function enables arbitrary OS command execution, as classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows injection of malicious OS commands, potentially resulting in low-level impacts to confidentiality, integrity, and availability, such as limited data exposure, command alteration, or minor service disruption.

Advisories reference GitHub issue #218 in the DesktopCommanderMCP repository, where the vendor notes the vulnerability remains open for monitoring long-term reports. No patches are mentioned, and the vendor observes that typical AI-driven workflows involve the model selecting simple command names without absolute paths, making deliberate bypasses by users unlikely; no real-world issues have been reported in actual deployments.

The exploit has been publicly disclosed, and the vulnerability ties into AI-assisted command execution scenarios, where models generate desktop commands.

Details

CWE(s)
CWE-77CWE-78

Affected Products

wonderwhy-er
desktopcommandermcp
≤ 0.2.13

AI Security Analysis

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
DesktopCommanderMCP is a component designed for AI agents to execute desktop commands, where AI models generate commands that are processed by the command manager (src/command-manager.ts). The vulnerability involves bypassing a command blocklist via absolute paths in AI-generated commands, directly tying it to AI agent integrations and protocols for command execution.

MITRE ATT&CK Enterprise Techniques

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

OS command injection via absolute path bypass in command handler enables remote arbitrary OS command execution (T1210), abuse of command interpreters (T1059), and indirect command execution through the flawed parser (T1202).

References