MCP Security Crisis: 1,862 Exposed Servers and How to Protect Yours

Something's been bothering me since I started researching this topic. The Model Context Protocol launched with a fundamental security flaw that shouldn't exist in 2025. It shipped without mandatory authentication. And right now, thousands of developers have no idea they've opened their systems to attackers.

Last October, security researchers sounded the alarm. Pynt's analysis showed that deploying just 10 MCP plugins creates a 92% probability of exploitation. A single plugin can introduce meaningful risk. The warnings were clear. Nobody listened—not because they didn't care, but because the tools were so useful that security felt like it could wait.

Then Clawdbot happened.

This personal AI assistant went viral. It clears inboxes. It writes code. It runs entirely on MCP. Suddenly, developers who'd never heard of authentication requirements spun up Clawdbots on production servers, exposed them to the internet, and kept every default setting because they trusted the tool.

Knostic scanned the internet and found what we feared: 1,862 MCP servers exposed with zero authentication. They tested 119. Every single one responded to requests without requiring credentials. That's not a small problem. That's not even a fixable problem if you don't act right now.

TL; DR

The Crisis: Knostic identified 1,862 exposed MCP servers with zero authentication, a direct result of MCP's insecure defaults
The Risk: Three critical CVEs (CVSS 8.8-9.6) prove attackers can achieve full system compromise through MCP vulnerabilities
The Reality: 43% of analyzed MCP implementations contain command injection flaws, giving attackers direct shell access
The Timeline: Six months passed before mandatory authentication arrived, during which deployment continued at scale
The Action: Security leaders must inventory MCP exposure, enforce authentication, restrict network access, and implement least-privilege policies immediately

Equixly's analysis reveals that 43% of MCP implementations have command injection flaws, 30% allow unrestricted URL fetching, and 22% leak files, leaving only 5% secure. Estimated data for secure systems.

What Happened: The MCP Launch and the Missing Security Layer

When the Model Context Protocol first launched, it solved a real problem. AI systems needed a standardized way to connect to external tools and data sources. The specification was elegant. The SDK was straightforward. Adoption exploded.

But there was a decision made early on that would haunt the entire ecosystem: authentication was optional. Not discouraged. Not flagged as insecure. Just optional.

Merritt Baer, chief security officer at Enkrypt AI, called it exactly: "MCP is shipping with the same mistake we've seen in every major protocol rollout: insecure defaults. If we don't build authentication and least privilege in from day one, we'll be cleaning up breaches for the next decade."

She wasn't being dramatic. She was being predictive.

When something is optional, developers treat it as unnecessary. A CISO I spoke with at a mid-sized fintech company told me their team deployed MCP for document processing without even realizing authentication wasn't built in. They assumed it was. They tested the happy path. It worked. They shipped it.

That decision could have cost them millions.

The problem deepens when you understand what MCP actually does. It's not just a connection layer. An MCP server can have shell access to your system. It can read files. It can execute code. It can make network requests. If an attacker controls that server or compromises the connection, they control everything.

Forrester analyst Jeff Pollard described it perfectly: "From a security perspective, it looks like a very effective way to drop a new and very powerful actor into your environment with zero guardrails."

Zero guardrails. That's the core issue.

What Happened: The MCP Launch and the Missing Security Layer - contextual illustration

Authentication Adoption Rates: Recommended vs. Mandatory

Estimated data shows that when authentication is mandatory, adoption rates reach nearly 100%, compared to low adoption when it's merely recommended.

The Numbers: How Many Systems Are Actually at Risk?

Knostic's findings are what finally made this real to people outside the security community. When they scanned the internet for exposed MCP servers, they found 1,862. Not thousands. Not millions. But 1,862 is specific enough to be credible. It's a number that came from actual measurement.

They tested 119 of them. Every single server responded to unauthenticated requests. One hundred percent.

That means an attacker with basic networking knowledge can connect to any of these systems and potentially execute commands. They don't need credentials. They don't need passwords. They don't need anything except knowing the server exists.

But here's what's worse: Knostic was testing from the public internet. That's easy. What about internal networks? What about Clawdbots running on VPSs that developers consider "private" but actually have their SSH keys in GitHub?

Itamar Golan, who sold Prompt Security to Sentinel One for an estimated $250 million, posted a warning that crystallized the risk: "Disaster is coming. Thousands of Clawdbots are live right now on VPSs with open ports to the internet and zero authentication. This is going to get ugly."

The word "thousands" is what hit me. Not just the 1,862 Knostic found. Not just the ones exposed to the public internet. But the ones that could be compromised through Clawdbot, through misconfiguration, through simple human error.

Equixly analyzed popular MCP implementations and found additional problems that make the picture darker:

43% contained command injection flaws that let attackers execute arbitrary code
30% permitted unrestricted URL fetching that could be used for internal reconnaissance
22% leaked files outside intended directories, exposing sensitive data

These aren't theoretical vulnerabilities. They're problems in shipping code that developers are using right now.

The Numbers: How Many Systems Are Actually at Risk? - contextual illustration

The CVE Trail: Three Critical Vulnerabilities, One Root Cause

Three CVEs in six months. Three different attack vectors. But when you trace them back, they all point to the same architectural decision: authentication was optional.

CVE-2025-49596 (CVSS 9.4) hit Anthropic's MCP Inspector. The vulnerability exposed unauthenticated access between the web UI and the proxy server. That meant if you visited a malicious webpage while MCP Inspector was running, that webpage could take over your system. Full compromise. And because authentication wasn't required, there was no way to stop it.

I keep thinking about the developers who didn't know this existed. They installed MCP Inspector to test tools. They left it running while they browsed the web. The threat model never crossed their minds because security felt like someone else's problem.

CVE-2025-6514 (CVSS 9.6) targeted mcp-remote, an OAuth proxy with 437,000 downloads. The vulnerability was command injection. If you connected to a malicious MCP server, that server could inject commands that executed on your machine with the privileges of the mcp-remote process. And because the system had no way to verify whether an MCP server was trustworthy, nothing stopped the attack.

437,000 downloads. That's not a niche tool. That's infrastructure that thousands of teams depend on.

CVE-2025-52882 (CVSS 8.8) exposed popular Claude Code extensions. The extensions ran unauthenticated Web Socket servers. An attacker on the same network could connect to those servers and read files or execute code. Again, no authentication. No verification. No defense.

When you look at these three vulnerabilities separately, they seem like discrete bugs that need fixing. When you look at them together, you see the real problem: the entire protocol was built on the assumption that if you could connect to an MCP server, you should be able to use it.

The CVE Trail: Three Critical Vulnerabilities, One Root Cause - contextual illustration

Vulnerability Distribution in MCP Implementations

Command injection is the most prevalent vulnerability, affecting 43% of MCP implementations. Estimated data for 'Other' vulnerabilities.

How Attackers Weaponize MCP: From Vulnerability to Exploit

Let me walk through what an attack actually looks like so you understand the practical risk.

An attacker finds one of those 1,862 exposed MCP servers. They connect to it. Inside that server is shell access. The attacker can execute commands. Maybe the first thing they do is enumerate what's running. They see environment variables. They see API keys stored insecurely. They see database credentials.

Now they have options. They can steal those credentials and move laterally through your network. They can install ransomware. They can exfiltrate data. They can make modifications that won't be discovered for weeks.

But MCP attackers have an even more sophisticated path. They don't even need to find an exposed server. They can create one. They can host a malicious MCP server on their own infrastructure and wait for someone to connect to it. When a Clawdbot or any other MCP client connects, the attacker now controls that system.

Prompt injection makes this worse. A researcher at Prompt Armor demonstrated a malicious PDF that could trick an AI agent running Clawdbot into uploading sensitive files. The agent read the document, the document contained hidden instructions in text that looked normal to a human, and the agent executed those instructions.

Here's the math: malicious MCP server + prompt injection + shell access = complete compromise. And none of those pieces require the user to explicitly authorize anything.

Second-order effects multiply the risk. Once an attacker compromises one MCP client, they can use it to compromise others. They can pivot through your network. They can establish persistence. They can operate for months before you discover them.

The Architectural Problem: Optional Authentication as a Design Flaw

Why did this happen? Why would the MCP specification be published without mandatory authentication?

The answer is probably more forgivable than you'd expect. The team building MCP was solving a real problem quickly. They focused on functionality first. Security was supposed to arrive later through OAuth 2.1 support.

But "later" meant six months. Six months during which deployment continued aggressively. Six months during which developers who didn't know about the security roadmap shipped code to production.

The core architectural flaw is this: the specification says "authentication should be used" but the SDK doesn't enforce it. The SDK includes no built-in authentication. Every MCP server has to implement its own auth layer. And because that layer isn't required, most don't.

This is what happens when you treat security as a feature instead of a requirement. Features are optional. Requirements are mandatory.

A security architect I spoke with at a large enterprise told me: "We looked at MCP and immediately saw the problem. The specification recommends OAuth 2.1, but there's no enforcement mechanism. You can have an MCP server that claims to support OAuth but doesn't actually check the token. The framework doesn't prevent that."

That's the vulnerability: a governance gap between what the spec recommends and what the implementation enforces.

Prevalence of Command Injection in MCP Implementations

Equixly's analysis found that 43% of popular MCP implementations have command injection vulnerabilities, posing significant security risks.

Clawdbot: When Convenience Amplifies the Risk

Clawdbot is fascinating from a security perspective because it shows what happens when you take an already-risky protocol and wrap it in something so useful that developers stop asking security questions.

Clawdbot is an AI assistant that lives on your machine. It can read your emails. It can write code. It can execute that code. It can access your files. It can send texts on your behalf. All through a conversational interface.

That's incredibly powerful. And that's incredibly dangerous.

Olivia Moore, a partner at a 16z, spent a weekend testing Clawdbot and posted her findings: "You're giving an AI agent access to your accounts. It can read your messages, send texts on your behalf, access your files, and execute code on your machine. You need to actually understand what you're authorizing."

The problem is that most users don't. Most developers don't either. The Clawdbot documentation focuses on what it can do, not on what could go wrong if someone compromised it.

When Clawdbot runs on MCP without authentication, the attack surface explodes. An attacker doesn't need to compromise Clawdbot directly. They need to compromise one MCP server that Clawdbot connects to. Then they have everything Clawdbot can access.

Thousands of Clawdbots are currently running on VPSs. Itamar Golan's warning was specific: open ports to the internet, zero authentication, disaster in progress. Some of these instances are probably already compromised. We just don't know it yet.

The Authentication Gap: Why Recommendations Aren't Enough

Here's what the MCP specification currently says about authentication: OAuth 2.1 is recommended.

Recommended. Not required. Not validated. Not built in.

When authentication is recommended, adoption rates are low. Developers see recommendations as suggestions. They deprioritize recommendations in favor of shipping faster.

When authentication is mandatory, adoption rates approach 100%. If the framework doesn't let you deploy without it, you deploy with it.

The gap between these two worlds is where the breach happens.

An MCP server implementing OAuth 2.1 correctly would solve most of these problems. But correct implementation requires knowledge. It requires testing. It requires ongoing maintenance. For a developer just trying to get something working, it feels like friction.

Meanwhile, an unauthenticated MCP server takes minutes to set up. It works immediately. It's deployed in hours.

The math is brutal: authentication takes time and effort, so most developers skip it.

This is what security engineers mean when they talk about "secure defaults." If the default is unauthenticated, most deployments are unauthenticated. If the default is authenticated with reasonable policies, most deployments are secure.

MCP chose the dangerous default. The industry is now paying the price.

The Authentication Gap: Why Recommendations Aren't Enough - visual representation

Estimated data shows 1,862 MCP servers are exposed, with 43% having command injection flaws, highlighting significant security risks.

The File Exfiltration Nightmare: Johann Rehberger's Discovery

Security researcher Johann Rehberger disclosed a file exfiltration vulnerability last October that crystallizes why MCP without authentication is so dangerous.

The attack is simple. You craft a malicious document. You include hidden instructions that look normal to humans but stand out to large language models. You ask an AI agent to process that document.

The agent reads the instructions. The agent, thinking it's helping, connects to an attacker-controlled MCP server. It requests that the MCP server perform an action. The MCP server is actually an exfiltration service. Files get uploaded to the attacker's infrastructure.

The whole thing happens without the user knowing anything is wrong.

Anthropic Launched Cowork this month, expanding MCP-based agents to a broader, less security-aware audience. Cowork is powerful. It's also immediately vulnerable to this attack. The vulnerability didn't get patched. The threat model expanded.

Prompt Armor demonstrated this with a financial document. They created a PDF that looked normal but contained prompt injection instructions. They had an AI agent process it. The agent uploaded sensitive financial data to a test server. All the agent thought it was doing was following reasonable instructions in the document.

The mitigation Anthropic provided was troubling: users should watch for "suspicious actions that may indicate prompt injection." But most users won't notice. AI agents are supposed to take actions. That's their whole purpose. How do you distinguish between legitimate action and compromise?

You don't, without authentication and least privilege policies. An authenticated MCP server can verify that requests are coming from authorized clients. An unauthenticated server accepts everything.

The File Exfiltration Nightmare: Johann Rehberger's Discovery - visual representation

Vulnerability Analysis: The 43% Command Injection Rate

Equixly's analysis of popular MCP implementations revealed that 43% contain command injection vulnerabilities. That's not a small percentage. That's nearly half of analyzed implementations.

Command injection is devastating because it's execution. If an MCP server is vulnerable to command injection, an attacker can execute arbitrary system commands with the privileges of that server.

Imagine an MCP server running as a service account that has access to your database. An attacker injects a command that exports the database to a file. Then they exfiltrate that file. Or worse, they modify the database. Or they install a backdoor that persists after patches.

Command injection isn't a new vulnerability. It's been understood for decades. But 43% of MCP implementations have it. Why? Probably because MCP is new, documentation around security best practices is still being written, and developers are moving fast without thinking about attack surface.

The 30% of implementations that permit unrestricted URL fetching are also dangerous. An MCP server that can fetch any URL becomes a proxy for internal reconnaissance. An attacker can enumerate internal services. They can attack internal APIs. They can pivot through the network using the compromised server as a launch point.

The 22% that leak files outside intended directories are the third piece of the puzzle. File access without proper boundaries means attackers can read anything the MCP process can access. Configuration files. Environment variables. Private keys. Source code.

Taken together, these vulnerabilities describe a system where attackers can:

Enumerate what's available (unrestricted URL fetching)
Read files they shouldn't (directory traversal)
Execute commands they want (command injection)
Exfiltrate data (combine any of the above)

And none of this requires breaking authentication because authentication doesn't exist.

Vulnerability Analysis: The 43% Command Injection Rate - visual representation

Timeline of Vulnerability Disclosure and Fix Implementation

The timeline shows a typical progression from vulnerability disclosure to patch implementation, highlighting the gap where systems remain vulnerable. Estimated data.

Known Vulnerabilities, Deferred Fixes: The Timeline Problem

Johann Rehberger disclosed the file exfiltration vulnerability in October. Anthropic knew about it. The vulnerability persisted. Anthropic launched Cowork in January. Cowork was immediately vulnerable to the same attack.

I don't think anyone was being negligent. I think the timeline just caught up with them. Security fixes take time to implement correctly. Coordinating disclosure takes time. Getting organizational alignment takes time. But in that window, attackers learned about the vulnerability too.

This is the classic problem with protocol vulnerabilities: once you disclose them, the clock starts. Attackers have information about weak points. Organizations have a window to patch. That window keeps shrinking.

The mitigation guidance Anthropic provided was honest but insufficient: users should watch for suspicious actions. But how? An AI agent clearing your inbox is supposed to perform actions. An AI agent writing code is supposed to execute it. An AI agent generating reports is supposed to access data.

The agent itself shouldn't need to determine trustworthiness. That's the server's job. Authentication and authorization should create a boundary: this server is trusted to do these things for this agent. An unauthenticated server crosses that boundary.

The fix for this vulnerability isn't to make users more vigilant. It's to make the system more secure by default.

Known Vulnerabilities, Deferred Fixes: The Timeline Problem - visual representation

Five Critical Actions for Security Leaders

1. Inventory Your MCP Exposure Immediately

You can't protect what you don't know about. The first action is discovery.

Traditional endpoint detection won't help you here. When you see a Python process or a Node process, your security tools flag it as normal. The process was started by a legitimate application. The process is consuming reasonable resources. Nothing looks suspicious.

But that process might be an unauthenticated MCP server.

You need tooling that specifically identifies MCP servers. You need to know:

Which systems are running MCP servers
Which servers are authenticated and which are not
Which servers are bound to localhost only (safe) and which are exposed to networks (dangerous)
Which MCP implementations are in use
Which versions are running

Start with network scanning. Port scanning will find open ports. But that doesn't distinguish between an MCP server and any other service. You need to actually probe the port and identify MCP.

MCP uses JSON-RPC 2.0 protocol over various transports. If you probe an MCP server, it responds with specific messages. That's how you identify it.

Then move to agent-based detection. Install agents on critical systems that can identify MCP processes and check their configuration. Look for environment variables that indicate authentication. Look for configuration files. Look for process arguments.

Once you know what you have, you can act.

2. Make Authentication Mandatory, Not Recommended

The MCP specification recommends OAuth 2.1. That's not enough.

Every MCP server that touches production systems needs authentication enforced at deployment time, not added later after an incident.

Here's how to implement this:

First, establish a policy: no MCP servers without OAuth 2.1 or mutual TLS authentication. Period. No exceptions for "just this internal thing." No exceptions for "we'll add it later." No exceptions.

Second, make that policy technically enforced through your deployment pipeline. If developers try to deploy an MCP server without authentication configuration, the deployment fails. Your CI/CD pipeline should validate that authentication is configured before anything goes to production.

Third, validate that the authentication actually works. Just having OAuth 2.1 configured doesn't mean it's correct. You need to test that:

Requests without tokens are rejected
Requests with invalid tokens are rejected
Requests with valid tokens are accepted
Token expiration is enforced
Scope validation is enforced

This validation should happen in testing and should be required to pass before deployment.

Fourth, rotate credentials regularly. If someone compromises an MCP authentication token, you need to know about it fast and revoke it faster.

3. Restrict Network Exposure: Localhost Default

Unless an MCP server needs to accept remote connections, it should be bound to localhost only. Period.

If a developer tells you "but we need remote access," ask them why. If the answer is "so multiple machines can use it," then you have a deployment architecture conversation. That's legitimate. But the default should be localhost.

Binding to localhost means:

No external network access
No exposure if firewall rules are misconfigured
No attack surface from the internet
Required authentication for even internal access

If you need remote access, implement it through a properly authenticated proxy. Your architecture should look like this:

Local MCP server (localhost only) ← Authenticated proxy with OAuth 2.1 ← Authorized clients

The proxy validates authentication. The MCP server never sees untrusted traffic. If the proxy is compromised, the MCP server is still protected.

4. Implement Least Privilege: Minimize What Each Server Can Do

An MCP server shouldn't have shell access to your entire system unless it absolutely needs it. For most use cases, it doesn't.

Define what each MCP server needs to do. Be specific. Then grant only those permissions.

If an MCP server needs to read files from a specific directory, give it access to that directory only. If it needs to call a specific API, give it credentials for that API only. If it needs to run certain commands, allow only those commands.

This is container and process isolation. Use:

Containerization to isolate the MCP server process
File system permissions to restrict file access
Process capabilities to remove dangerous privileges
Allowlisting for allowed network destinations
API keys with minimal scopes

If an attacker compromises an MCP server, they get access to what that server can access. That's unavoidable. But you can make sure it's not your entire infrastructure.

5. Monitor for Suspicious MCP Activity

Authentication and least privilege raise the bar for attacks. But they don't eliminate risk. You need to detect attacks that do happen.

Monitor MCP servers for:

Authentication failures (someone trying credentials)
Unusual API calls (normally-quiet server suddenly active)
Unusual destinations (server connecting to unknown external IPs)
Large data transfers (exfiltration)
Command execution patterns (commands that don't match normal usage)
Process spawning (agent attempting code execution)

Set baselines for normal behavior. Track deviations. Create alerts for anomalies.

Use security information and event management (SIEM) to correlate MCP activity with other system events. If an MCP server starts accessing files it normally ignores, correlate that with changes in load, time of day, and other factors.

Build playbooks for when you detect suspicious activity:

Isolate the MCP server immediately
Preserve logs for forensics
Check for lateral movement
Review what data might have been accessed
Revoke credentials
Patch or replace the server

Five Critical Actions for Security Leaders - visual representation

The Bigger Picture: Why This Matters Beyond MCP

MCP's security problems aren't unique. They're an example of a broader pattern in how we deploy new infrastructure.

When something is new and powerful, we tend to skip security. We prioritize speed. We rationalize that security can come later. We assume that because the core developers are competent, the system must be safe.

But new systems are dangerous. They have unknown unknowns. The threat models are still being discovered. The attack surface isn't fully mapped.

Every time we ship something without mandatory authentication, without default least privilege, without security by design, we create the conditions for the next MCP-style vulnerability.

The fix isn't specific to MCP. It's architectural:

Authentication should never be optional. Authorization frameworks should ship with the system. Least privilege should be default. Security should be part of the definition of done, not a feature added later.

Organizations that wait for security vulnerabilities to be discovered and patched are playing defense. Organizations that build security into how they design systems are playing offense.

The Bigger Picture: Why This Matters Beyond MCP - visual representation

Industry Response: Too Little, Too Late?

After the initial warnings, Anthropic did move. OAuth 2.1 support arrived. Documentation improved. Best practices guides were published.

But the damage was done. Thousands of MCP servers deployed without authentication. Thousands of developers still don't know about the risks. Thousands of teams are potentially compromised right now and don't know it.

The problem isn't malice. It's incentive misalignment. Developers are incentivized to ship fast. Security teams are incentivized to reduce risk. These incentives conflict when security has a time cost.

The only way to resolve that conflict is to make security the path of least resistance. Remove the time cost. Make authentication required at the framework level. Make least privilege default. Make monitoring built in.

Until then, every new protocol will have an MCP moment.

Industry Response: Too Little, Too Late? - visual representation

What Users Should Do Right Now

If you're running Clawdbot or any MCP-based system:

Audit your deployment immediately. Are you exposed to the internet? Do you have authentication enabled?
If you're exposed and unauthenticated, take it offline until you can secure it.
Rotate any credentials that MCP has access to. Assume compromise unless you can prove otherwise.
Check your logs for suspicious activity. Have you connected to MCP servers you don't recognize?
Update to the latest version of every MCP tool you use.
Implement the five actions listed above.

If you're building with MCP:

Implement OAuth 2.1 authentication before deployment.
Run your server on localhost only unless you have a specific reason for remote access.
Minimize the permissions your server has. If it doesn't need shell access, don't give it.
Test that authentication actually works. Don't assume it does.
Monitor for suspicious activity.

What Users Should Do Right Now - visual representation

The Path Forward: Building Secure by Default

The MCP story doesn't have to repeat. The next new protocol doesn't have to go through this.

It requires a fundamental shift in how we think about security. Not as something added after the fact. Not as optional. Not as a feature for later.

Security as requirement. Security as design principle. Security as default.

When that's true, the number of exposed servers will be zero. The number of vulnerable deployments will be zero. The number of breaches will be prevented before they happen.

We're not there yet. But every protocol, every tool, every system that ships with secure defaults moves us closer.

MCP's vulnerability opened a conversation that needed to happen. The question now is whether we'll learn from it or repeat it with the next technology.

The Path Forward: Building Secure by Default - visual representation

FAQ

What is the Model Context Protocol (MCP) and why is it important?

The Model Context Protocol is a standardized specification that allows AI systems to connect to external tools, services, and data sources. It's important because it enables AI assistants to take actions beyond text generation—reading files, accessing APIs, executing code, and automating workflows. This power is what makes MCP valuable, and it's also what makes its security problems so critical.

Why did MCP ship without authentication requirements?

MCP's designers prioritized functionality and speed of deployment. The specification recommended OAuth 2.1 but didn't enforce it in the SDK. Authentication was treated as something that could arrive later through updates. This architectural decision meant that the first millions of deployments happened without authentication, creating a massive installed base of vulnerable systems before security fixes could be implemented.

How can attackers exploit unauthenticated MCP servers?

Attackers can exploit unauthenticated MCP servers in multiple ways. They can connect directly if the server is exposed to the internet and execute commands with the server's privileges. They can create malicious MCP servers and wait for clients to connect, then compromise those clients. They can inject prompt instructions into documents that trick AI agents into connecting to attacker-controlled MCP servers. Each path leads to potential full system compromise.

What is command injection in MCP implementations and why is it dangerous?

Command injection is a vulnerability where user input is passed unsanitized to system commands. In MCP implementations, command injection means attackers can execute arbitrary system commands with the privileges of the MCP process. Equixly's analysis found this vulnerability in 43% of popular MCP implementations. This is dangerous because it gives attackers direct execution capabilities to steal data, install malware, or establish persistence.

How can security leaders assess their organization's MCP risk?

Security leaders should start with discovery: identify all systems running MCP servers using network scanning and agent-based detection. Then audit each server for authentication status, network exposure, and process privileges. Check logs for unauthorized access attempts or suspicious connections. Review which MCP servers have access to sensitive data or critical systems. This inventory becomes the foundation for remediation efforts.

What is the difference between OAuth 2.1 and mutual TLS for MCP authentication?

OAuth 2.1 is token-based authentication where a central authority issues tokens that clients present to prove their identity. Mutual TLS (m TLS) is certificate-based authentication where both client and server verify each other's identity through certificates. Both are valid approaches for securing MCP. OAuth 2.1 is recommended in the specification and is more flexible for cloud deployments, while m TLS is simpler to implement in certain network architectures and provides stronger encryption.

Should MCP servers be exposed to the internet?

No. MCP servers should be bound to localhost by default. If remote access is required, it should be through an authenticated proxy that validates connections before allowing them to reach the MCP server. This architecture creates a security boundary where the MCP server never directly handles untrusted network traffic. Only in exceptional cases with very specific security controls should an MCP server be directly exposed to networks.

How does least privilege apply to MCP server configuration?

Least privilege means an MCP server should have access only to what it needs to function. If a server needs to read files from a specific directory, give it permissions to that directory only, not the entire file system. If it needs to call a specific API, provide credentials with minimal scopes. If it needs to run certain commands, allowlist only those commands. This limits the damage an attacker can do if they compromise the server.

What should I do if I discover an exposed MCP server in my environment?

Take immediate action: isolate the server from the network if possible, inventory what data and systems it has access to, check your logs for unauthorized access attempts or data exfiltration, revoke all credentials that the server has access to (assuming potential compromise), preserve logs for forensic analysis, and implement authentication and least privilege before bringing it back online. If the server accessed sensitive data, plan a security incident response following your established procedures.

What is prompt injection and how does it exploit MCP vulnerabilities?

Prompt injection is a technique where hidden instructions are embedded in content (like documents or emails) that a language model reads. When an AI agent processes that content, it follows the hidden instructions without realizing they weren't intended by the user. With MCP, prompt injection can trick an agent into connecting to a malicious MCP server, uploading sensitive files, or executing dangerous commands. This is particularly effective because the agent is following what appears to be legitimate instructions.

Conclusion: The Choice Ahead

MCP's security crisis reveals something important about how we build technology. The choice to make authentication optional wasn't malicious. It was pragmatic. Ship fast, add security later.

That choice created the conditions for 1,862 exposed servers, three critical CVEs, and a threat landscape that will take years to fully remediate.

The question now isn't whether MCP can be fixed. It can be. The question is whether the next protocol will learn from this mistake.

Every security leader reading this has work to do. Inventory your exposure. Enforce authentication. Restrict network access. Monitor for attacks. These actions will protect your infrastructure today and set an expectation for the future.

Every developer reading this also has work to do. Treat security as a requirement, not a feature. Test your authentication before deploying. Run services on localhost unless you have a specific reason not to. Review what permissions your code actually needs and give only those.

The pattern we establish now—whether security is optional or mandatory—will shape how the next decade of infrastructure gets built. MCP showed us what happens when security is optional. We now know what needs to change.

The question is whether we'll change it.

Conclusion: The Choice Ahead - visual representation

Key Takeaways

1,862 MCP servers exposed with zero authentication, representing massive attack surface for organizations using MCP-based tools like Clawdbot
43% of analyzed MCP implementations contain command injection vulnerabilities enabling arbitrary code execution on compromised servers
Three critical CVEs (CVSS 8.8-9.6) demonstrate that MCP's core architectural flaw—optional authentication—enables full system compromise
Security leaders must implement five immediate actions: inventory MCP exposure, enforce mandatory OAuth 2.1 authentication, restrict network access to localhost, implement least privilege isolation, and establish monitoring for suspicious activity
The broader pattern shows how new protocols fail when security is treated as optional rather than required by design, creating lessons for future infrastructure development