Model Context Protocol (MCP) continues to face serious security issues that are not going away. Last October, VentureBeat reported on MCP’s vulnerabilities, revealing alarming data. Research conducted by Pynt showed that deploying just 10 MCP plug-ins creates a 92% probability of exploitation, with even a single plug-in posing a significant risk.
The fundamental flaw in MCP remains unchanged since its inception. The protocol was initially shipped without mandatory authentication, with authorization frameworks only being introduced six months after widespread deployment. Merritt Baer, Chief Security Officer at Enkrypt AI, had previously warned about this oversight, stating that insecure defaults like this one often lead to breaches that can haunt organizations for years.
Recently, a new threat emerged with the rise of Clawdbot, a popular personal AI assistant that operates solely on MCP. Many developers who hastily set up Clawdbot on Virtual Private Servers (VPS) without properly configuring security settings inadvertently exposed their organizations to potential attacks.
Itamar Golan, who sold Prompt Security to SentinelOne for an estimated $250 million, raised concerns about the situation. He pointed out that thousands of Clawdbots were live on VPSs with open ports and zero authentication, making them vulnerable to exploitation.
A scan conducted by Knostic found 1,862 MCP servers exposed without authentication, highlighting the widespread nature of the issue. These servers are at risk of being exploited for various malicious activities.
Several Critical Vulnerabilities and Exploits (CVEs) have been identified in MCP, all stemming from the protocol’s lack of mandatory authentication. Anthropic’s MCP Inspector, mcp-remote, and popular Claude Code extensions have all been affected by severe vulnerabilities, allowing attackers to compromise systems through different attack vectors.
The attack surface of MCP continues to expand, with Equixly identifying multiple vulnerabilities in popular MCP implementations. Forrester analyst Jeff Pollard emphasized the risks associated with allowing AI agents like Clawdbot to operate without proper security measures in place.
Despite known vulnerabilities and deferred fixes, organizations are slow to address the security gaps in MCP. Prompt injection attacks, file exfiltration vulnerabilities, and other exploits remain prevalent, putting sensitive data at risk.
Security leaders are advised to take proactive measures to secure their MCP exposure. This includes conducting an inventory of MCP servers, enforcing mandatory authentication, restricting network exposure, and assuming prompt injection attacks are inevitable.
The governance gap between developer enthusiasm for AI agents like Clawdbot and security governance within organizations is widening. As the adoption of AI agents grows, it is crucial for organizations to prioritize securing their MCP environments to prevent potential breaches. Failure to do so could result in severe consequences for businesses.
