Model Context Protocol (MCP) is facing a persistent security issue that continues to pose a threat. The vulnerabilities within MCP were first brought to light by VentureBeat in October, showcasing concerning data. Research conducted by Pynt revealed that deploying just 10 MCP plug-ins could result in a 92% likelihood of exploitation, even with a single plug-in in place.
The primary flaw remains the same: MCP was initially shipped without mandatory authentication. It took six months after widespread deployment for authorization frameworks to be introduced. Merritt Baer, the Chief Security Officer at Enkrypt AI, cautioned against this oversight, highlighting the risks associated with insecure defaults. Baer emphasized the importance of incorporating authentication and least privilege measures from the outset to prevent breaches in the future.
Recently, Clawdbot emerged as a game-changer, operating as a viral personal AI assistant that functions exclusively on MCP. Unfortunately, many developers who hastily set up Clawdbot on Virtual Private Servers (VPS) without reviewing security documentation unknowingly exposed their organizations to the full spectrum of MCP’s attack surface.
Itamar Golan, who sold Prompt Security to SentinelOne for an estimated $250 million, issued a stark warning regarding the impending disaster. Thousands of Clawdbots are currently live on VPSs, with open ports to the internet and lacking authentication, setting the stage for potential security breaches.
Further exacerbating the situation, Knostic’s scan of the internet revealed 1,862 exposed MCP servers lacking authentication. This glaring oversight opens the door for attackers to exploit the automation capabilities of Clawdbot for malicious purposes.
Three critical vulnerabilities have been identified within MCP over the past six months, each stemming from the protocol’s design flaws. These vulnerabilities, encapsulated in three CVEs, expose different attack vectors, underscoring the repercussions of treating authentication as optional rather than necessary.
The risk associated with MCP continues to escalate, as Equixly’s analysis of popular MCP implementations unveiled numerous vulnerabilities, including command injection flaws and unrestricted URL fetching. Forrester analyst Jeff Pollard emphasized the substantial risk posed by MCP, likening it to inviting a powerful entity into one’s environment without any safeguards in place.
The prevalence of known vulnerabilities within MCP, paired with the deferral of necessary fixes, poses a significant threat. Johann Rehberger’s disclosure of a file exfiltration vulnerability highlighted the potential for prompt injection to trick AI agents into transmitting sensitive information to malicious actors. The launch of Cowork by Anthropic further exacerbates the situation, expanding the reach of MCP-based agents to a wider audience, potentially increasing the likelihood of exploitation.
To mitigate these risks, security leaders are advised to take proactive measures, including conducting an inventory of MCP exposure, enforcing mandatory authentication, restricting network exposure, anticipating prompt injection attacks, and implementing human approval for high-risk actions.
The governance gap surrounding MCP remains wide open, with security vendors moving swiftly to address the risks while many enterprises lag behind. As organizations grapple with securing their MCP exposure, the urgency to fortify defenses against potential exploits becomes increasingly critical. The evolving landscape of AI agents underscores the need for stringent security measures to safeguard against emerging threats.