Framelink Figma MCP server flaw (CVE-2025-53967)

Key Takeaways

• MCP server allowed unauthenticated access
• Attackers could execute arbitrary system commands
• Vulnerability affected AI-assisted design workflows
• No confirmed exploitation reported at disclosure
• Patch released to remediate the issue

Unauthenticated MCP Server Allowed Remote Command Execution

A vulnerability in the Framelink Figma MCP server allowed unauthenticated attackers to execute arbitrary commands on the host system. The issue stemmed from insufficient authentication controls on exposed MCP endpoints. While no active exploitation was reported, the flaw posed a serious risk to AI-enabled design environments that relied on MCP servers to automate workflows.

Source: NIST National Vulnerability Database

What We Know

The vulnerability was disclosed in October 2025 and assigned CVE-2025-53967. It affected the Framelink MCP server used to integrate Figma with AI-driven tooling and automation workflows.

According to the NVD entry, the MCP server exposed endpoints that accepted commands without requiring authentication. An attacker with network access could send crafted requests to these endpoints and trigger arbitrary command execution on the underlying system.

The advisory indicates that the issue was resolved through updates that added authentication and restricted command execution paths. At the time of disclosure, there were no public reports confirming real-world exploitation or customer impact.

Source: NIST NVD CVE-2025-53967

How the Breach Happened

This incident resulted from missing authentication and authorization checks on an AI MCP server component. The MCP server was designed to enable automated interactions between AI agents and Figma design assets, but it trusted inbound requests without validating their source.

Because the server accepted commands directly, an unauthenticated attacker could issue instructions that were executed by the host system. This created a direct path from network access to system-level command execution.

The vulnerability highlights a common risk in AI agent infrastructures, where convenience and extensibility can override fundamental security controls such as authentication, access validation, and command restriction.

Why It Matters

AI MCP servers often act as bridges between AI agents and real-world systems, including design tools, repositories, and CI workflows. When these servers are exposed without proper authentication, they become high-value targets.

Even without confirmed exploitation, the potential impact of unauthenticated remote command execution is severe. Successful exploitation could lead to system compromise, data tampering, or misuse of connected AI agents and workflows.

As AI-assisted tooling becomes more integrated into development and design processes, weaknesses in MCP servers can undermine trust across entire toolchains.

PointGuard AI Perspective

This vulnerability illustrates how AI agent infrastructure can introduce traditional security risks in new places.

PointGuard AI helps organizations secure AI-enabled environments by providing visibility into agent activity, MCP server interactions, and command execution paths. This enables early detection of anomalous behavior that may indicate attempted exploitation.

Policy-based controls allow teams to restrict what actions AI agents and MCP servers are allowed to perform, reducing the impact of misconfigurations or exposed endpoints.

By continuously tracking AI-related security incidents, PointGuard AI helps organizations identify systemic weaknesses in AI toolchains and adopt AI technologies more safely.

Source: AI Runtime Defense
Source: AI Supply Chain Security
Source: AI Security Incident Tracker

Incident Scorecard Details

Total AISSI Score: 7.7/10

Criticality = 8.5, Unauthenticated remote command execution, AISSI weighting: 25%
Propagation = 7.0, Requires network access to exposed MCP server, AISSI weighting: 20%
Exploitability = 8.0, Low complexity due to missing authentication, AISSI weighting: 15%
Supply Chain = 7.5, Impacts AI tooling integrated into design workflows, AISSI weighting: 15%
Business Impact = 6.5, No confirmed exploitation or breach reported, AISSI weighting: 25%

Sources

• NIST National Vulnerability Database CVE-2025-53967