How a Vulnerable AI Plugin in Figma MCP Opened the Door for Remote Code Attacks
Executive Summary
In early 2025, a critical vulnerability (CVE-2025-53967) was discovered in a third-party connector integrating agentic AI capabilities with Figma’s Multi-Cloud Platform (MCP) server. This supply-chain flaw enabled remote code execution (RCE), allowing attackers to exploit the connection to infiltrate organizational environments using the affected plugin. Threat actors leveraged the unsanctioned plugin to gain unauthorized access to internal systems, potentially exposing sensitive design data, intellectual property, and user information. The compromise highlighted risks associated with insufficient east-west security controls, lack of zero trust segmentation, and inadequate traffic visibility, ultimately impacting business continuity and trust in the collaboration platform.
This incident exemplifies the growing threat of supply-chain vulnerabilities targeting enterprise SaaS applications, amid increasing adoption of AI integrations. Organizations are re-evaluating their third-party risk, agentic AI governance, and internal segmentation postures as regulatory scrutiny and attacker sophistication intensify.
Why This Matters Now
The Figma MCP server incident serves as a warning about the urgency of patching third-party components and securing AI integrations. As AI-driven plugins proliferate across enterprise platforms, attackers are exploiting gaps in visibility, segmentation, and supply-chain vetting, making rapid response and proactive controls critical to protect sensitive assets.
Attack Path Analysis
Attackers exploited CVE-2025-53967 in a third-party integration with Figma's MCP server to achieve remote code execution in cloud-connected environments. After foothold, adversaries likely sought to escalate privileges within the affected cloud accounts, manipulated workload identities, and pivoted laterally across distributed workloads and regions. Malicious communications with external infrastructure established command and control, enabling staged data exfiltration. Ultimately, attackers faced little resistance to potentially disrupt operations or manipulate AI-powered design workflows.
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged CVE-2025-53967 in a third-party Figma MCP server integration to gain remote code execution in the cloud environment.
Related CVEs
CVE-2025-53967
CVSS 8A command injection vulnerability in Framelink Figma MCP Server before version 0.6.3 allows unauthenticated remote attackers to execute arbitrary operating system commands via crafted HTTP POST requests containing shell metacharacters.
Affected Products:
Framelink Figma MCP Server – < 0.6.3
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Supply Chain Compromise
Exploit Public-Facing Application
Exploitation for Client Execution
Command and Scripting Interpreter
Valid Accounts
Impair Defenses
Obfuscated Files or Information
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Custom and Third-Party Software
Control ID: 6.3.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Third-Party Risk Management
Control ID: Article 28(2)d
CISA ZTMM 2.0 – Continuous Inventory and Risk Assessment of Third-Party Assets
Control ID: Asset Management - 1.2
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply-chain vulnerability in Figma MCP server exposes software development workflows to agentic AI compromise and remote code execution attacks.
Design
Design teams using Figma's agentic AI integrations face immediate RCE threats requiring urgent patching to prevent workflow disruption and data exposure.
Information Technology/IT
IT organizations managing cloud-native security fabrics must address CVE-2025-53967 to prevent AI-driven lateral movement and shadow AI exploitation vectors.
Computer/Network Security
Security practitioners face third-party integration risks as agentic AI systems bypass traditional zero trust segmentation and threat detection capabilities.
Sources
- Framelink Figma MCP Server Opens Orgs to Agentic AI Compromisehttps://www.darkreading.com/vulnerabilities-threats/figma-mcp-server-agentic-ai-compromiseVerified
- CVE-2025-53967 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-53967Verified
- figma-developer-mcp vulnerable to command injection in get_figma_data toolhttps://github.com/advisories/GHSA-gxw4-4fc5-9gr5Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west traffic controls, and centralized egress enforcement would have decisively limited initial intrusion blast radius, detected anomalous activity, and contained lateral movement and data loss across the Figma-connected cloud supply chain. CNSF controls map directly to each stage of the kill chain, reducing attack surface and enabling faster detection and response.
Control: Inline IPS (Suricata)
Mitigation: Prevented or detected exploit signatures at network ingress points.
Control: Zero Trust Segmentation
Mitigation: Restricted access between compromised workloads and sensitive systems.
Control: East-West Traffic Security
Mitigation: Detected and contained unauthorized lateral movement within the cloud network.
Control: Egress Security & Policy Enforcement
Mitigation: Flagged or blocked unauthorized outbound C2 attempts.
Control: Cloud Firewall (ACF)
Mitigation: Blocked data exfiltration via tight egress controls and anomaly detection.
Enabled rapid detection and incident response to minimize operational impact.
Impact at a Glance
Affected Business Functions
- Design Operations
- AI Integration Workflows
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive design files and intellectual property due to unauthorized access facilitated by remote code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS and zero trust segmentation to protect cloud SaaS integrations and microservices from supply-chain exploits.
- • Enforce strict east-west policy controls and anomaly detection to swiftly identify and contain lateral movement.
- • Apply granular egress filtering and cloud firewalling to limit outbound communications and block data exfiltration attempts.
- • Enhance visibility across multi-cloud and hybrid architectures using centralized fabric controls for proactive threat hunting.
- • Regularly validate and test third-party integrations for security posture, ensuring all workload access is governed by least privilege and microsegmentation.
