EXECUTIVE SUMMARY:
A critical command injection vulnerability is observed CVE‑2025‑61492 in the execute_command function of terminal-controller‑mcp, where insufficient input sanitization allows an attacker to inject crafted input that results in arbitrary command execution on the affected system. This flaw enables unauthenticated adversaries to remotely execute system commands with the privileges of the application without any user interaction, potentially leading to full system compromise, unauthorized access to sensitive data, service disruption, and lateral movement within the environment. The vulnerability originates from improper neutralization of special command elements, and due to its network‑accessible nature and low attack complexity, organizations using the vulnerable component should prioritize mitigation by upgrading to patched versions, applying strict input validation, and restricting network access to affected services to reduce exposure. The vulnerability has a CVSS score of 10.0.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: