CVE-2025-11202
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on win-cli-mcp-server installations without authentication. Attackers can inject malicious commands through the resolveCommandPath method, leading to full system compromise. All users running vulnerable versions are affected.
💻 Affected Systems
- win-cli-mcp-server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining service account privileges, enabling lateral movement, data exfiltration, and persistent backdoor installation.
Likely Case
Remote code execution leading to service disruption, data theft, and deployment of ransomware or other malware.
If Mitigated
Limited impact with proper network segmentation and least privilege service accounts, potentially containing damage to isolated segments.
🎯 Exploit Status
No authentication required makes exploitation trivial. The vulnerability is command injection in a system call, making weaponization straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 521b4a34190d03bde7d433d213c36357181a6d09
Vendor Advisory: https://github.com/simon-ami/win-cli-mcp-server/commit/521b4a34190d03bde7d433d213c36357181a6d09
Restart Required: Yes
Instructions:
1. Update to latest version from GitHub repository
2. Restart win-cli-mcp-server service
3. Verify the commit hash includes 521b4a34190d03bde7d433d213c36357181a6d09
🔧 Temporary Workarounds
Network Isolation
windowsRestrict network access to win-cli-mcp-server service using firewall rules
netsh advfirewall firewall add rule name="Block win-cli-mcp-server" dir=in action=block protocol=TCP localport=<service_port>
netsh advfirewall firewall add rule name="Block win-cli-mcp-server" dir=out action=block protocol=TCP localport=<service_port>
Service Account Hardening
windowsRun win-cli-mcp-server with minimal privileges using a restricted service account
sc config "win-cli-mcp-server" obj="NT AUTHORITY\LocalService"
sc stop "win-cli-mcp-server"
sc start "win-cli-mcp-server"
🧯 If You Can't Patch
- Disable win-cli-mcp-server service entirely if not required
- Implement strict network segmentation and firewall rules to isolate vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check if win-cli-mcp-server is running and accessible on the network. Review service version against GitHub commit history.Check Version:
Check git log or version file in win-cli-mcp-server installation directoryVerify Fix Applied:
Verify the installed version includes commit 521b4a34190d03bde7d433d213c36357181a6d09. Test that command injection attempts are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in win-cli-mcp-server logs
- Service account performing unexpected system operations
- Failed authentication attempts if logging enabled
Network Indicators:
- Unusual network connections from win-cli-mcp-server service
- Command injection patterns in network traffic to service port
SIEM Query:
source="win-cli-mcp-server" AND (command="*;*" OR command="*|*" OR command="*&*" OR command="*`*" OR command="*$(*")