Artificial Intelligence & Machine Learning,
Next-Generation Technologies & Secure Development
Thousands of MCP Servers Expose AI Applications to Security Risks
Recent research has revealed that hundreds of model context protocol (MCP) servers are improperly configured and exposed to the public, resulting in significant vulnerabilities for artificial intelligence applications. This misconfiguration makes these servers attractive targets for malicious actors looking to compromise sensitive AI systems.
Although the MCP protocol was only introduced in November, over 15,000 servers have already been deployed worldwide, according to researchers from Backslash Security. These servers enable connections between AI models and external data sources, often containing sensitive organizational information. As the adoption of AI technologies expands, so too does the deployment of MCP servers.
Of the identified MCP servers, approximately 7,000 were found to be publicly accessible. While some organizations may intentionally expose servers to disseminate non-sensitive data, the majority of MCP implementations are anticipated to utilize authentication measures. Alarmingly, these security controls are frequently absent, allowing unmitigated access.
The study identified a concerning subset of exposed servers showing vulnerabilities that could be exploited through unauthorized connections. This practice, referred to as “neighborjacking,” compromises security by permitting unauthenticated devices on the same network to connect. Although such access might not be catastrophic in isolation, it can culminate in severe risks in the context of other security flaws.
Out of the 7,000 exposed servers, around 70 featured critical vulnerabilities, including path traversal issues and inadequate input sanitization. For instance, one MCP server was found to accept any incoming data, executing it as a shell command and facilitating arbitrary code execution by attackers.
Researchers noted, “While our analysis did not reveal overtly harmful MCPs, we were shocked by the number of dangerously misconfigured servers.” The intersection of neighborjacking and insecure input handling allows for the potential escalation to complete control over the host system, enabling data deletion or unauthorized code execution.
Furthermore, MCP servers can be exploited for context poisoning, where adversaries manipulate the data fed into large language models, skewing their outputs. Backslash researchers encountered an organization that had deployed an MCP serving thousands of users without implementing adequate defenses against such manipulation.
The novelty of MCP technology results in underdeveloped security practices, with many misconfigurations arising from teams rushing to implement solutions without fully comprehending the associated risks. In light of these findings, Backslash Security recommends several mitigation strategies for organizations utilizing MCP servers. These include conducting thorough scans for insecure development plugins, ensuring only approved language models connect to the servers, and establishing strict API access controls to authenticate data sources and help prevent data poisoning.
