CVE-2025-61492
terminal-controller-mcp · terminal-controller-mcp
A command injection vulnerability in the terminal-controller-mcp 0.1.7 execute_command function allows remote attackers to execute arbitrary system commands via crafted input.
Executive summary
A critical command injection vulnerability in terminal-controller-mcp 0.1.7 allows for full system compromise through the execution of arbitrary commands.
Vulnerability
This is a command injection vulnerability located in the execute_command function. The application fails to properly sanitize input, allowing an attacker to inject and execute arbitrary system-level commands.
Business impact
Successful exploitation allows an attacker to gain full control over the host system, leading to complete data exfiltration, service disruption, or the establishment of persistent backdoors. With a CVSS score of 10.0, this represents the highest level of risk to operational technology and infrastructure.
Remediation
Immediate Action: Update terminal-controller-mcp to the latest available version provided by the developer.
Proactive Monitoring: Monitor system process logs for unauthorized command execution or unexpected child processes spawned by the controller service.
Compensating Controls: Isolate the affected service within a restricted network segment or container environment to limit the impact of potential command execution.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This vulnerability presents an extreme risk and requires immediate attention. Organizations utilizing this software should move to patch the environment immediately, as the ability to execute arbitrary commands provides an attacker with total control over the host.