CVE-2025-11202 Overview
CVE-2025-11202 is a command injection vulnerability in win-cli-mcp-server that allows remote attackers to execute arbitrary code on affected installations. The vulnerability exists in the resolveCommandPath method, which fails to properly validate user-supplied strings before using them in system calls. Authentication is not required to exploit this vulnerability, making it particularly dangerous for exposed deployments.
This flaw enables attackers to inject malicious commands that execute with the privileges of the service account running win-cli-mcp-server. The vulnerability was tracked by the Zero Day Initiative as ZDI-CAN-27787 and assigned advisory ZDI-25-930.
Critical Impact
Unauthenticated remote code execution allowing complete system compromise with service account privileges via command injection in the resolveCommandPath method.
Affected Products
- win-cli-mcp-server (versions prior to commit 521b4a34190d03bde7d433d213c36357181a6d09)
Discovery Timeline
- October 29, 2025 - CVE-2025-11202 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2025-11202
Vulnerability Analysis
The vulnerability resides in the resolveCommandPath function within the src/utils/validation.ts file of win-cli-mcp-server. This function was designed to locate executable paths using the Windows where command, but it failed to sanitize user input before incorporating it into the shell command execution.
The function used Node.js execAsync to run shell commands, constructing the command string by directly interpolating the user-supplied command parameter into a template string passed to where. This pattern is a classic example of CWE-78 (Improper Neutralization of Special Elements used in an OS Command), allowing attackers to break out of the intended command context and execute arbitrary commands on the underlying system.
Since the vulnerability can be exploited without authentication over the network, attackers can achieve full remote code execution on vulnerable win-cli-mcp-server deployments.
Root Cause
The root cause is insufficient input validation in the resolveCommandPath function. User-supplied command names were passed directly to execAsync without any sanitization or escaping, allowing shell metacharacter injection. The vulnerable code constructed the command as:
await execAsync(`where "${command}"`, { encoding: 'utf8' });
An attacker could inject shell metacharacters (such as ", &, |, or ;) to escape the quoted string and append additional commands for execution.
Attack Vector
The attack vector is network-based with low complexity. An attacker can craft a malicious request containing shell metacharacters in the command parameter. When the resolveCommandPath function processes this input, the injected commands execute with the privileges of the service account. No authentication, user interaction, or special privileges are required for exploitation.
The following code shows the vulnerable resolveCommandPath function that was removed in the security patch:
export async function resolveCommandPath(command: string): Promise<string | null> {
try {
const { stdout } = await execAsync(`where "${command}"`, { encoding: 'utf8' });
return stdout.split('\n')[0].trim();
} catch {
return null;
}
}
Source: GitHub Commit
Detection Methods for CVE-2025-11202
Indicators of Compromise
- Unusual process spawning from the win-cli-mcp-server service account
- Windows where.exe executions with suspicious command line arguments containing shell metacharacters
- Unexpected child processes of the Node.js process running win-cli-mcp-server
- Network connections or file system modifications by the service that deviate from normal operation
Detection Strategies
- Monitor for where.exe process creation with command lines containing characters like &, |, ;, or backticks
- Implement network intrusion detection rules to identify malicious payloads targeting the win-cli-mcp-server API
- Deploy endpoint detection to alert on command injection patterns in process creation events
- Review application logs for unusual or malformed command resolution requests
Monitoring Recommendations
- Enable verbose logging for win-cli-mcp-server and forward logs to a SIEM for analysis
- Configure process creation auditing on Windows systems running the vulnerable server
- Monitor network traffic to/from win-cli-mcp-server for anomalous patterns
- Implement behavioral analysis to detect deviations from baseline service activity
How to Mitigate CVE-2025-11202
Immediate Actions Required
- Update win-cli-mcp-server to the latest version containing commit 521b4a34190d03bde7d433d213c36357181a6d09
- Restrict network access to win-cli-mcp-server to trusted sources only
- Run the service with minimum required privileges to limit impact of potential compromise
- Review logs for any evidence of exploitation prior to patching
Patch Information
The vulnerability was addressed by completely removing the vulnerable resolveCommandPath function from the codebase. The security patch is available in commit 521b4a34. Organizations should update to the latest version of win-cli-mcp-server that includes this fix. Additional details are available in the ZDI-25-930 advisory.
Workarounds
- Implement network-level access controls to limit exposure of win-cli-mcp-server to untrusted networks
- Deploy a web application firewall (WAF) with rules to block command injection patterns
- Consider disabling or removing the service until patching is possible for high-risk environments
- Use network segmentation to isolate systems running the vulnerable software
# Example: Restrict network access using Windows Firewall
netsh advfirewall firewall add rule name="Block MCP Server External" dir=in action=block program="C:\path\to\win-cli-mcp-server.exe" remoteip=any
netsh advfirewall firewall add rule name="Allow MCP Server Trusted" dir=in action=allow program="C:\path\to\win-cli-mcp-server.exe" remoteip=192.168.1.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
