The same connection he made Anthropic Model Context Protocol (MCP) The fastest AI integration standard to be adopted in 2025 has created the most dangerous blind spot in enterprise cybersecurity.
Recent research from pint Measures the increased threat in clear, unambiguous terms. Their analysis reveals the striking network effect of vulnerabilities that exacerbate the use of more MCP plugins. Deploying ten MCP plug-ins creates a Probability of exploitation 92%. In three interconnected servers, there is a risk exceeds 50%. Even a single MCP plugin offers a 9% exploit potential, and the threat multiplies exponentially with each addition.
The security paradox of MCPs leads to one of the most significant AI risks organizations face
The design premise of MCP began with the laudable goal of solving the AI integration mess. Anthropic has chosen to standardize how large language models (LLMs) connect to external tools and data sources, providing what every organization working with AI models and resources desperately needs: a universal interface for AI agents to access everything from APIs, cloud services, databases, and more.
Anthropy’s launch was extremely well coordinated MCP immediately gained traction with many of the industry’s leading AI companies, including Google and Microsoft, who quickly adopted the standard. And now, ten short months after launch, it’s there More than 16,000 MCP servers deployed across Fortune 500 companies this year alone.
At the heart of the MCP’s security paradox lies its greatest strength: Frictionless contact and Comprehensive integration With as little friction as possible. This aspect of the protocol is Greatest weakness. protection It was not built into the basic design of the protocol. Authentication It remains optional. Delegation frameworks The updates arrived just six months ago, months after the protocol had become widespread. Combined, these two factors feed quickly Sprawling attack surface Each new connection multiplies the risks, creating… Network effect Of the weak points.
"MCP ships with the same bug we’ve seen in every major version of the protocol: insecure defaults," warns Merit Bayer, chief security officer at… Encrypt Amnesty International and an advisor to companies including Andesite and AppOmni, he told VentureBeat in a recent interview. "If we don’t build in authentication and least privilege from day one, we’ll be cleaning up breaches for the next decade."
source: Pint, measuring risk exposure across 281 MCPs report
Identifying synthetic risks: How security breaks at scale
Bent analysis 281 The MCP server provides the data needed to illustrate the mathematical principles that are fundamental to synthetic risk.
According to their analysis, 72% of MCPs expose sensitive capabilities including dynamic code execution, file system access, and privileged API calls, while 13% accept untrusted input such as web scraping, Slack messages, email, or RSS feeds. When these two risk factors intersect, as they do in 9% of real-world MCP settings, attackers gain direct paths to instant injection, command execution, and data exfiltration, often without requiring a single human approval. These are not hypothetical weaknesses; They are live, measurable exploit paths hidden within daily MCP configurations.
"When you connect to an MCP server, you not only trust your security, you inherit the integrity of every tool, every credential, and every developer in that chain," Beyer warns. "This represents a real-time supply chain risk."
source: Pint, measuring risk exposure across 281 MCPs report
The growing base of real-world exploits shows that MCP vulnerabilities are real
Security research teams from several industry-leading companies continue their work to identify real-world vulnerabilities that MCP currently sees in the wild, as well as those that are theoretical in nature. The MCP protocol continues to show increasing vulnerabilities in various scenarios, including the following:
CVE-2025-6514 (CVSS 9.6): The MCP-remote package, which has been downloaded more than 500,000 times, contains a critical vulnerability that allows arbitrary execution of operating system commands. "The vulnerability allows an attacker to trigger execution of arbitrary operating system commands on a device running MCP-remote when it initiates a connection to an untrusted MCP server, resulting in a complete system compromise." warns J Frog Security team.
MCP postmark back door: Ironing security revealed that Postmark package-mcp npm The Trojan was made to give the attackers implicit access "God mode" Access within the AI workflow. In version 1.0.16, the malicious actor inserted a single line of code that masked every outgoing email to their domain (e.g., [email protected]), effectively filtering internal memos, invoices, and password resets, all without raising alerts. like Koi researchers Put it: "These MCP servers operate with the same privileges as the AI assistants themselves – full access to email, database connections, and API permissions – yet they do not appear in any asset inventory, bypass vendor risk assessments, and bypass all security controls from DLPs to email gateways."
Aidan Dardikman, Co-Founder and CTO of Koi Security, he writes in a recent blog post Detecting the lethality of the Postmark-mcp npm package, "Let me be clear about something: MCP servers are not like regular npm packages. These are tools specifically designed for AI assistants to use independently."
"If you are using postmark-mcp version 1.0.16 or later, you are vulnerable. Remove it immediately and delete any credentials that may have been exposed via email. But most importantly, review every MCP server you use. Ask yourself: Do you actually know who built these tools that you trust with everything? " Dardikman writes. He finishes mail With strong advice: "Stay paranoid. With MCPs, paranoia is just common sense."
CVE-2025-49596: Oligo Security Revealed a critical RCE vulnerability in Anthropic’s MCP Inspector, enabling browser-based attacks. "By executing code on a developer’s device, attackers can steal data, install backdoors, and move horizontally across networks." explains Avi Lomelsky, a security researcher
Trail bits "Jump the line" attacks: Researchers have shown how malicious it is MCP servers Inject claims through Tool descriptions To manipulate the behavior of the AI without explicitly calling it. "This vulnerability exploits the false assumption that humans provide a reliable layer of defense," The team notes.
Additional vulnerabilities include Rapid injection attacks Hijacking AI behavior, Instrument poisoningServer metadata processing, Authentication vulnerabilities Where tokens pass through untrusted proxies, and Supply chain attacks through compromised npm packages.
The authentication gap must be designed first
Authentication and authorization were initially optional in MCP. The protocol prioritized interoperability over security, assuming that companies would add their own controls. They didn’t. Ooth 2.0 The license finally arrived in March 2025, and was revised to Ooth 2.1 By June. But thousands of MCP servers deployed without authentication remain in production.
Academic research from Queen’s University analyzed 1,899 open source MCP servers and found that 7.2% of them contained public security vulnerabilities and 5.5% of them showed MCP-specific tool poisoning. Gartner survey (via IBM’s Human-Machine Obliteration paper) This report reveals that organizations deploy 45 cybersecurity tools but effectively manage only 44% of device identities, meaning half of the identities in enterprise ecosystems may be invisible and unmanaged.
Defining a comprehensive defense strategy for MCP is at stake
Defining a multi-layered MCP defense strategy helps fill remaining gaps in the original protocol architecture. The layers identified here aim to combine structural safeguards with immediate operational measures to reduce the threat surface of an organization.
Layer 1: Start with the weakest area of the MCP which is authentication and access controls
Improving authentication and access controls must start with implementation Ooth 2.1 Each gateway has an MCP across the enterprise. Gartner It indicates that organizations implementing these measures report 48% fewer vulnerabilities, 30% better user adoption, and centralized MCP server monitoring. "MCP gateways act as essential security intermediaries." He writes Research company, by providing unified server catalogs and real-time monitoring.
Layer 2: Why semantic layers are important in contextual security
Semantic layers are essential to provide greater context for each access decision, ensuring AI agents only work with standard, reliable, and verifiable data. Deploying semantic layers helps reduce operational load, improves natural language query accuracy, and provides the real-time traceability security leaders need. VentureBeat believes that the practice of including security policies directly into data access contributes to reducing the risk of compromise and increasing the security of proxy analytics workflows.
Layer 3: Cognitive graphs are essential for vision
By definition, knowledge graphs connect entities, analytics assets, and business processes, enabling AI agents to operate transparently and securely within an organizational context. Gartner highlights this capability as essential for regulatory compliance, auditability, and trust, especially in complex queries and workflows. Merit Bayer emphasizes the urgency: "If you use MCP today, you really need security. Guardrails, monitoring and audit trails are not optional – they are the difference between innovation with or without risk mitigation." Bayer advises.
Recommended action plan for security leaders
VentureBeat recommends that security leaders with active MCP-based integrations in their organizations take the following five precautionary measures to secure their infrastructure:
-
Make it a practice to implement MCP gateways by implementing them first Ooth 2.1 and OpenID connection With centralized MCP server registration.
-
Determine how your infrastructure can support a layered security architecture with semantic layers and knowledge graphs alongside gateways.
-
Shift the activity of conducting regular MCP audits through threat modeling, continuous monitoring, and redundant collaboration into the muscle memory of your security teams, so that it’s reactive.
-
Limit MCP plugin use to essential plugins only – remember: 3 attachments = 52% risk, 10 attachments = 92% risk.
-
Invest in AI security as a distinct risk category within your cybersecurity strategy.
[og_img]
Source link