Kali Linux's Official MCP Server Has a Textbook Command Injection Vulnerability
A security researcher found that the mcp-kali-server package - shipped in Kali's official repos - interpolates AI-supplied parameters directly into shell commands with shell=True, enabling trivial arbitrary command execution.
7 min read
The Kali Linux MCP server - the same tool that Kali shipped last week as its official Claude AI integration for penetration testing - has a textbook command injection vulnerability. Every tool handler in server.py interpolates AI-supplied parameters directly into shell command strings executed via subprocess with shell=True, with no escaping or argument separation.
"Most tool handlers in
server.pyinterpolate AI-supplied parameters directly into shell command strings executed viasubprocesswithshell=True, without argument separation or escaping. Any MCP client - or a prompt-injection payload embedded in a scan target's response - can escalate from text to arbitrary code execution on the Kali host."
- GitHub Issue #37, MCP-Kali-Server
A trivial exploit: sending {"target": "example.com; rm -rf /"} to the nmap endpoint executes nmap -sCV example.com; rm -rf / as a shell command. The vulnerability affects the nmap, sqlmap, gobuster, hydra, john, nikto, enum4linux-ng, wpscan, and metasploit handlers - plus a generic /api/command endpoint that accepts arbitrary shell commands with zero validation.
TL;DR
- The
mcp-kali-serverpackage in Kali's official repos passes AI-supplied input directly into shell commands withshell=Trueand no sanitization - Every tool handler (nmap, sqlmap, gobuster, hydra, john, metasploit, etc.) is affected, plus a generic
/api/commandendpoint - The attack chain is prompt injection to command injection: poisoned scan targets can compromise the tester's own machine through the AI agent
- The vulnerability was filed as Issue #37 on GitHub on February 26. As of publication, there's no maintainer response, no patch, and no fix
- This isn't isolated: Endor Labs found 34% of 2,614 MCP implementations use APIs prone to command injection
The Vulnerability
The Code Pattern
The vulnerable code follows the same pattern across every tool handler in server.py. Here is the nmap handler:
command = f"nmap {scan_type} -p {ports} {additional_args} {target}"
result = execute_command(command)
And gobuster:
command = f"gobuster {mode} -u {url} -w {wordlist}"
if additional_args:
command += f" {additional_args}"
And hydra:
command += f" -l {username}"
command += f" -p {password}"
command += f" {target} {service} {additional_args}"
Every parameter - target, url, username, password, ports, wordlist, data, hash_file, additional_args - is string-interpolated into a shell command with no escaping. The execute_command function runs these with shell=True, meaning the shell interprets semicolons, pipes, backticks, and all other metacharacters.
There is also a generic endpoint that accepts any command:
@app.route("/api/command", methods=["POST"])
def generic_command():
command = params.get("command", "")
result = execute_command(command)
The fix is standard Python practice and straightforward:
import shlex
args = ["nmap"] + shlex.split(scan_type) + shlex.split(additional_args) + [target]
subprocess.run(args, shell=False, ...)
The Real Danger: Prompt Injection to Command Execution
The command injection alone would be a routine finding. What makes this truly dangerous is the attack chain it enables.
The MCP server is designed to be driven by an AI agent. The parameters fed to these tool handlers originate from AI model outputs. An attacker does not need direct access to the MCP server. They can plant malicious payloads in places the AI agent will encounter during a penetration test:
- HTTP response headers or body content from a target website
- DNS TXT records on a target domain
- Banner strings from services on open ports
- Error messages or file contents on a target system
When the AI agent reads these poisoned inputs and passes them as parameters to the MCP server, the injected commands execute on the Kali host with zero human interaction. This is a confused deputy attack - the AI agent becomes the unwitting carrier.
A penetration tester scanning a target that knows it is being tested could have their own Kali box compromised through the tool they're using to test it.
| Stakeholder | Impact | Timeline |
|---|---|---|
| Pentesters using mcp-kali-server | Arbitrary command execution on their Kali host via poisoned scan targets | Immediate - no patch available |
| Pentest clients | Attacker could pivot from compromised Kali box to client infrastructure | Immediate |
| Kali Linux (Offensive Security) | Reputational damage from shipping vulnerable package in official repos | Until patch or removal |
| MCP ecosystem | Further erosion of trust in MCP server security | Ongoing |
The Systemic Problem
This Is Not Isolated
This vulnerability is one instance of an ecosystem-wide failure. Endor Labs studied 2,614 MCP implementations and found that 34% use APIs prone to command injection (CWE-78). Between January and February 2026, 30 CVEs were filed against MCP servers.
| CVE | Server | Vulnerability |
|---|---|---|
| CVE-2025-68143/44/45 | Anthropic's mcp-server-git | Path validation bypass, argument injection |
| CVE-2025-53967 | Framelink Figma MCP (600k+ downloads) | Command injection via child_process.exec |
| CVE-2025-6514 | mcp-remote (437k+ installs) | OS command injection via malicious auth endpoint |
| CVE-2025-49596 | Anthropic MCP Inspector | Browser-based attack leading to arbitrary command execution |
Even Anthropic's own MCP servers had command injection vulnerabilities. The mcp-server-git fixes were discovered by security startup Cyata in June 2025 and patched in December 2025 - a six-month window. One fix was simply removing the vulnerable tool completely.
OWASP now maintains an MCP Top 10, with Command Injection and Execution listed as MCP05. Simon Willison, who has been tracking MCP security since its launch, wrote that "the lack of progress over the past two and a half years doesn't fill me with confidence that we'll figure this out any time soon."
The Irony
A tool designed specifically for offensive security professionals - people whose entire job is finding command injection vulnerabilities - ships with a textbook command injection vulnerability. The mcp-kali-server is installable via sudo apt install mcp-kali-server. It's part of the kali-linux-everything metapackage. It carries the implicit trust of Kali's official repository.
This is the same project we covered last week when TrustedSec CTO Justin Elze criticized its lack of data security warnings. The data privacy issue was bad. A command injection vulnerability that turns the tester's own machine into a target is worse.
Who Found It
The vulnerability was reported by Simone Margaritelli (evilsocket), the security researcher known for creating bettercap, opensnitch, and pwnagotchi. He's also the author of Nerve, an agent development framework with first-class MCP support - meaning he has direct practical experience with the security effects of AI agent-to-tool interfaces. He previously discovered the CUPS vulnerability chain (CVE-2024-47176 and related), a CVSS 9.9 arbitrary code execution affecting virtually all GNU/Linux systems.
What Happens Next
The immediate question is how fast this gets patched. The GitHub issue has zero maintainer comments as of publication. The repository has 501 stars, 108 forks, and 4 contributors. There are no open pull requests addressing the vulnerability.
The harder question is structural. The MCP specification tells implementors that "tools represent arbitrary code execution and must be treated with appropriate caution." But the specification provides no enforcement mechanism. There's no security audit requirement, no certification, no automated scanning in the MCP registry. The result is predictable: one in three MCP servers ships with command injection vulnerabilities because nothing in the ecosystem prevents it.
Docker published a piece titled "MCP Horror Stories." AuthZed maintains a timeline of MCP breaches that reads like a security incident calendar. Palo Alto's Unit42 has published attack vector research. The security industry has been sounding the alarm. The MCP ecosystem hasn't been listening.
The penetration testing distribution that built its reputation on finding exactly this class of vulnerability is now shipping it in its own official packages. The tool that security professionals use to find shell=True command injection in client applications has shell=True command injection in its own code. No one reviewed server.py before it went into Kali's repos. No one noticed that every single parameter in every single tool handler is an injection point. The fix is six lines of Python. The question is whether anyone will apply it before someone's Kali box gets compromised by a target that read the same GitHub issue we all just read.
Sources:
- Command Injection via Unescaped Argument Interpolation - GitHub Issue #37
- MCP-Kali-Server GitHub Repository
- Classic Vulnerabilities Meet AI Infrastructure: Why MCP Needs AppSec - Endor Labs
- OWASP MCP Top 10
- MCP Has Prompt Injection Security Problems - Simon Willison
- MCP Horror Stories: The GitHub Prompt Injection Data Heist - Docker
- Timeline of MCP Breaches - AuthZed
- Anthropic MCP Prompt Injection Flaws - The Register
