An unauthenticated remote code execution vulnerability in aws-mcp-server allows attackers to execute arbitrary commands, creating a critical security risk.

This is a command injection vulnerability occurring within the handling of the allowed commands list. The application fails to validate user-supplied strings, allowing unauthenticated remote attackers to trigger arbitrary system calls.

With a CVSS score of 9.8, this vulnerability is critical. Successful exploitation allows an attacker to run code with the privileges of the MCP server, leading to potential data theft, infrastructure disruption, and unauthorized access to cloud resources.

Immediate Action: Update all aws-mcp-server installations to the latest vendor-supplied version immediately.

Proactive Monitoring: Monitor server logs for unauthorized command execution or anomalous process activity linked to the MCP service.

Compensating Controls: Use network segmentation and restrictive IAM policies to limit the blast radius should the MCP server be compromised.

Public Exploit Available: No

Due to the critical severity of this remote code execution flaw, immediate patching is required. Security teams should verify the version of all deployed instances and apply updates as a top priority.