Cherry Studio Hit By Critical CVSS 9.7 Flaw Allowing One-Click RCE via Malicious Links

Rapid advisory + defensive playbook from CyberDudeBivash (no exploit code, no PoCs).

cyberdudebivash.com | cyberbivash.blogspot.com

Author: CyberDudeBivash — cyberbivash.blogspot.com | Published: Oct 13, 2025

TL;DR

• CVE-2025-61929 (CVSS 9.7, critical): Cherry Studio’s custom URL scheme (cherrystudio://) can be abused for **one-click remote code execution (RCE)** when victims open a crafted link. :contentReference[oaicite:0]{index=0}
• The bug ties to handling of cherrystudio://mcp installation URLs where base64 config is parsed and a command executed. :contentReference[oaicite:1]{index=1}
• Action: update to the latest Cherry Studio release immediately and apply the hardening steps below. Prior related issues were fixed around v1.5.2, but always install the newest version available. :contentReference[oaicite:2]{index=2}

🔒 Partner Picks — Fortify Your AI/Desktop Pipelines

• Kaspersky Premium Security — endpoint & server defense for developer workstations.
• Alibaba Cloud Threat Detection — SIEM + telemetry for app/agent fleets.
• Edureka Cybersecurity Master Program — secure desktop & supply-chain defense.

Affiliate links may earn us a commission at no extra cost to you.

---

Contents

1. What happened
2. Why this matters
3. Who is at risk
4. Defensive detection ideas
5. Mitigation & hardening checklist
6. Incident response playbook
7. Apps & services to help
8. References

What happened

A critical flaw (CVE-2025-61929) in Cherry Studio — a cross-platform desktop client for multiple LLM providers — allows **one-click RCE** via its custom URL protocol cherrystudio://. When handling certain MCP installation links, Cherry Studio decodes embedded configuration and **executes a command**, enabling code execution after a single click on a malicious link. :contentReference[oaicite:3]{index=3}

Related earlier Cherry Studio issues (e.g., command injection when connecting to malicious MCP servers) were remediated around v1.5.2, underscoring an evolving attack surface for MCP-enabled clients. :contentReference[oaicite:4]{index=4}

Why this matters

• Single-click compromise: social engineering + a crafted link can compromise developer or analyst machines. :contentReference[oaicite:5]{index=5}
• Supply-chain ripple: compromised hosts may hold API keys, model credentials, or access to CI/CD and corp networks.
• AI agent ecosystem risk: multiple MCP-capable apps have seen similar issues in 2025; defenders should harden protocol handlers and agent connectivity. :contentReference[oaicite:6]{index=6}

Who is at risk

• Users who have Cherry Studio installed with the cherrystudio:// protocol registered.
• Teams evaluating external MCP servers or importing third-party MCP configurations.
• Developers/analysts who may click links in chats, docs, or websites that trigger the custom protocol.

Defensive detection ideas (safe)

Use these non-exploitative checks to surface suspicious behavior:

• Process tree anomalies: Cherry Studio or its child processes spawning shells or unknown binaries shortly after browser clicks.
• URL handler telemetry: log invocations of cherrystudio:// handlers; alert on cherrystudio://mcp with unexpected base64 payload sizes. :contentReference[oaicite:7]{index=7}
• Network egress: new outbound connections from Cherry Studio to unrecognized MCP endpoints following link clicks.
• File drift: new scripts appearing in app data or temp paths post-click; compare to a clean baseline.

Mitigation & hardening checklist

1. Update immediately: install the latest Cherry Studio version available from the vendor; prior Cherry issues were fixed around v1.5.2, but always move to the newest release and monitor for a dedicated fix for CVE-2025-61929. :contentReference[oaicite:8]{index=8}
2. Disable protocol handler (temporary): unregister or block cherrystudio:// at OS level until patched; restrict browser ability to open it.
3. Zero-trust MCP: only connect to trusted MCP servers; validate configuration sources; block external MCP URLs by default.
4. OS sandboxing: run Cherry Studio with least privilege; consider AppArmor/SELinux profiles and separate user accounts on Linux/macOS.
5. Secrets hygiene: keep API keys out of user profiles; use scoped tokens and rotate credentials on affected hosts.
6. SIEM rules: add detections for custom-protocol invocations spawning shells; alert on anomalous parent→child chains.

Incident Response (if you suspect exploitation)

• Isolate the host and snapshot the system/VM.
• Preserve evidence: browser history/events around the click, protocol handler logs, Cherry Studio logs, process trees, and filesystem diffs.
• Rotate tokens/keys used on the host (LLM providers, git, CI/CD, cloud CLI).
• Clean rebuild from a known-good image if integrity is uncertain; redeploy with patched Cherry Studio.

🧰 CyberDudeBivash Response & Tools

Need help hardening MCP-capable clients or investigating a suspected hit?

• Threat Analyser — IOC correlation & process tree analytics.
• SessionShield — session integrity protection for desktop portals.
• Emergency IR consult

Browse Tools & Services

📢 Subscribe — CyberDudeBivash ThreatWire

Weekly breach analysis, patch advisories, and defensive playbooks.Subscribe Now

Recommended by CyberDudeBivash

• Turbo VPN
• ASUS (India)
• VPN hidemy.name
• GeekBrains Cybersecurity
• AliExpress WW
• Alibaba WW
• Rewardful

References

• NVD entry for CVE-2025-61929 (custom protocol → one-click code execution). :contentReference[oaicite:9]{index=9}
• Tenable summary mirroring NVD technical description. :contentReference[oaicite:10]{index=10}
• Coverage: SecurityOnline.Info’s explainer of the one-click RCE via malicious links. :contentReference[oaicite:11]{index=11}
• Prior related Cherry Studio command-injection issues and fixed versions (~v1.5.2). :contentReference[oaicite:12]{index=12}
• Broader MCP-client risk context (researchers highlighting multiple AI-agent client vulns in 2025). :contentReference[oaicite:13]{index=13}

Closing note

Treat custom URL handlers as high-risk entry points. Patch Cherry Studio to the newest version, disable the cherrystudio:// handler until updates are deployed, and enforce zero-trust for MCP sources. For a quick tabletop on desktop-client protocol attacks or help validating your environment: https://www.cyberdudebivash.com/contact

Hashtags:

#CyberDudeBivash #CherryStudio #CVE202561929 #RCE #OneClickExploit #MCP #DesktopSecurity #ThreatHunting #IncidentResponse