Model Context Protocol (MCP) servers are the new backbone of AI-driven operations, but they've also introduced a dangerous attack surface. Critical vulnerabilities like remote code execution, authentication bypasses, and novel tool poisoning attacks are already being exploited, exposing organizations to devastating breaches.
Released as an open standard in late 2024, MCP was quickly adopted to connect AI systems to internal data. What many didn't realize is that they were deploying a prime target for cybercriminals: a server aggregating access to an organization's most sensitive systems, often with minimal security. Research reveals a perfect storm of protocol design flaws and implementation errors, with one study finding 43% of tested MCP implementations contained command injection flaws and another discovering nearly 500 servers exposed without any authentication.
Critical Vulnerabilities in the Wild
MCP deployments are plagued by a range of severe vulnerabilities, from classic code execution flaws to entirely new AI-centric attacks.
Remote Code Execution (RCE) and Filesystem Flaws
Security researchers have uncovered multiple critical vulnerabilities allowing complete system compromise.
- CVE-2025-49596: A backdoor in Anthropic's official MCP Inspector tool allows RCE due to a lack of authentication, turning any developer machine into a target.
- CVE-2025-6514: A flaw in the popular mcp-remote proxy tool lets malicious MCP servers execute arbitrary commands on a client's machine.
- Filesystem Vulnerabilities: Two critical bugs (CVE-2025-53110 & CVE-2025-53109) in the widely-used Filesystem MCP Server permit directory traversal, letting attackers read or write files anywhere on the system, far outside intended sandboxes.
The Rise of Tool Poisoning
Beyond traditional bugs, MCP enables tool poisoning, where attackers manipulate an AI's behavior by embedding malicious instructions in tool definitions. This can be done by hiding commands in a tool's description or distributing them across the entire tool schema, tricking the AI into exfiltrating sensitive data like SSH keys. More advanced attacks even use tool error messages to create persistent backdoors that repeatedly request sensitive information.
A Systemic Breakdown in Security
At its core, the MCP crisis stems from fundamental failures in authentication, input validation, and ecosystem security.
Authentication & Authorization Failure
The MCP specification doesn't mandate authentication, a design flaw that has left hundreds of servers completely exposed online. This has led to "neighborjacking," where attackers on shared networks (like coffee shops or corporate LANs) can discover and access unprotected MCP servers. Even when OAuth is implemented, it's often flawed, with many servers storing credentials in plaintext or using non-expiring tokens.
The Command Injection Catastrophe
A shocking 43% of tested MCP implementations suffer from command injection, a vulnerability that was largely solved in web applications two decades ago. Developers are repeating basic security mistakes by directly executing system commands with unvalidated user input. Most concerningly, even Anthropic's own SQLite MCP server reference implementation (forked over 5,000 times) contained a classic SQL injection flaw that the company declined to patch.
Mitigation and the Path Forward
The security risks facing MCP are severe but not insurmountable. The ecosystem must treat MCP servers as the high-value targets they are.
Immediate Security Controls for Your Organization:
- Mandate OAuth 2.1 with PKCE for all remote connections and use session tokens with short lifetimes.
- Restrict servers to localhost-only where possible, use HTTPS everywhere, and segment MCP servers from the rest of your network.
- Implement parameterized queries, validate all tool parameter schemas, and sanitize outputs to prevent AI manipulation.
- Log all tool interactions, use anomaly detection to spot unusual data access, and integrate with your SIEM.
Building a Secure Ecosystem
The MCP protocol itself needs to mature. Like the early days of web APIs, it lacks built-in security. Future specifications must mandate authentication and integrity controls. For now, the burden is on organizations to conduct rigorous security assessments, implement strict controls, and treat every MCP deployment as a critical piece of infrastructure. The window to establish secure MCP practices is closing fast. Action is needed now before these vulnerabilities lead to the next wave of major enterprise breaches.
