Critical RCE Vulnerabilities in Microsoft Exchange Servers Expose 2,259 Orgs
Key Takeaways A comprehensive audit revealed 4,982 security vulnerabilities across 2,259 public Model Context Protocol (MCP) servers. These flaws threaten the emerging AI agent ecosystem, which...
Key Takeaways
- A comprehensive audit revealed 4,982 security vulnerabilities across 2,259 public Model Context Protocol (MCP) servers.
- These flaws threaten the emerging AI agent ecosystem, which relies on MCP for connecting large language models (LLMs) to data and executing code.
- Vulnerabilities include arbitrary file access, command injection, unauthenticated access, and prompt injection.
- Server popularity or verification status did not correlate with improved security, indicating systemic issues rather than isolated errors.
- Organizations are urged to implement rigorous security measures, including code review, authentication, input validation, and real-time traffic inspection.
A recent large-scale security audit has uncovered a widespread crisis within public Model Context Protocol (MCP) servers, identifying nearly 5,000 security issues across more than 2,200 affected servers. This significant exposure poses a direct threat to the rapidly evolving agentic AI ecosystem.
Table Of Content
The Model Context Protocol has become an essential framework for linking large language models (LLMs) with both local and remote data sources. This connectivity empowers AI applications to function as active agents, capable of executing code, querying databases, and managing cloud infrastructure, thereby forming a critical foundation for the modern AI economy.
Despite its swift adoption, the security measures surrounding MCP directories have not kept pace with their growth, leading to substantial vulnerabilities.
Extensive Vulnerability Discovery Across MCP Servers
Researchers from Trend Micro’s Forward-Looking Threat Research Team identified confirmed security issues in 2,259 servers. Their comprehensive audit involved crawling 9,695 MCP servers from prominent public directories, including GitHub, Glama, Lobehub, and PulseMCP. This effort uncovered a total of 4,982 distinct vulnerabilities.
The identified vulnerabilities are diverse and alarming. They include 880 issues related to arbitrary file access, 2,054 instances of missing authentication, 476 command injection flaws, 490 denial of service vulnerabilities, 422 Server-Side Request Forgery (SSRF) issues, 211 SQL injection vulnerabilities, 155 cross-site scripting flaws, 185 prompt injection vulnerabilities, 8 authorization bypasses, and 101 code injection vulnerabilities.
These security issues were categorized into three primary risk groups: exploitable vulnerabilities, design-level weaknesses (where the system is inherently vulnerable by design), and malicious behaviors such as prompt injection, which allows attackers to directly manipulate AI agent responses.
Security Issues Identified in MCP Servers
A critical revelation from the study is that neither the popularity of a server nor its verification status serves as a reliable indicator of its security posture. Verified servers, on average, exhibited nearly as many security issues as their unverified counterparts.
Servers with high popularity (over 50 GitHub stars) presented the largest potential impact, as a compromise of these widely adopted tools would affect the broadest user base. Conversely, servers with low star counts displayed a surprisingly high average number of issues per server, demonstrating that low visibility does not equate to low risk.
Similarly, an increased number of code commits did not correlate with a meaningful reduction in security issues. More active development often introduced more code without corresponding improvements in security practices.
The research uncovered vulnerable servers across a spectrum of applications, including cryptocurrency and DeFi tools, office automation platforms, and various enterprise applications.
For instance, one prolific developer managing over 40 crypto-focused MCP servers was found to have 101 security issues across 13 repositories. These flaws included server-side template injection and prompt injection vulnerabilities, which could potentially facilitate unauthorized blockchain transactions.
Another developer’s office automation servers contained direct eval() calls, enabling arbitrary Python code execution. Furthermore, enterprise JDBC/ODBC middleware servers exhibited SQL injection vulnerabilities and unauthenticated access to Active Directory, creating clear pathways for attackers to conduct reconnaissance and escalate privileges.
The study also highlighted that security flaws rarely occur in isolation. Researchers observed frequent co-occurrence patterns, most notably the combination of arbitrary file access with missing authentication. This pattern suggests systemic failures in input validation and fundamental security hygiene, rather than isolated coding errors.
What You Should Do
- Review All Third-Party MCP Server Code: Mandate a thorough code review of all third-party MCP server code before deployment, irrespective of its perceived reputation or verification.
- Enforce Authentication and Least Privilege: Implement robust authentication mechanisms and strictly apply the principle of least privilege for all access controls.
- Validate All Tool Inputs: Rigorously validate all inputs to MCP tools to prevent various injection attacks, including command, SQL, and prompt injection.
- Implement Real-Time Traffic Inspection: Deploy solutions for real-time traffic inspection between AI agents and MCP servers to detect suspicious activities.
- Adopt Behavioral Baselining: Establish behavioral baselines for MCP tools and monitor for deviations from their intended functions, indicating potential compromises.
- Abandon Trust-by-Default Assumptions: Recognize that social proof metrics like GitHub stars or directory badges offer no guarantee of security; only rigorous code audits and zero-trust integration practices provide genuine assurance.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.