As the Model Context Protocol ecosystem grows, the attack surface is shifting from theoretical risks to concrete exploitation. This month’s digest highlights critical architectural weaknesses, ranging from “overthinking loops” that drain API budgets to high-privilege RCE vulnerabilities in Claude Desktop extensions.

Statistics:

Total resources: 8
Category breakdown:

GenAI security resources:

Threat Model

MCP’s first year: what 30 CVEs and 500 server scans tell us

Analysis reveals that MCP has become AI’s fastest-growing attack surface, with 30 CVEs filed in just 60 days. The data shows that 38% of 500+ scanned servers completely lack authentication.

MCP security: understanding vulnerabilities in Model Context Protocol

This post demonstrates three distinct MCP attack techniques, providing working code examples and PoC implementations. It specifically details external prompt injection, tool prompt injection, and cross-tool hijacking.

The hidden dangers of AI agents: 11 critical security risks in MCP

This article provides a systematic catalog of 11 MCP vulnerability classes, highlighting supply chain typosquatting and cross-server context abuse. It includes details on CVE-2025-6514 (CVSS 10.0 RCE) and tool poisoning risks.

Defense

Building a secure MCP server with OAuth 2.1 and Azure AD

This guide presents a Microsoft ISE production-ready MCP server implementation. It features detailed code examples for OAuth 2.1, JWKS-cached token validation, and OBO flows.

Enterprise MCP access control: managing tools, servers, and agents

This post outlines a comprehensive tool-level access control architecture for MCP. It covers per-tool permissions, server-level policies, and agent-scoped access boundaries suitable for enterprise deployments.

Vulnerability

Anthropic’s DXT poses ‘critical RCE vulnerability’

A critical architectural decision in Claude Desktop Extensions allows MCP servers to run with high privileges. This configuration enables chaining low-risk tools to high-risk local executors, potentially leading to zero-click RCE via malicious calendar invites.

Research

Overthinking loops in agents: a structural risk via MCP tools

Researchers have identified that malicious MCP tool servers can exploit tool-using LLM agents by inducing cyclic ‘overthinking loops’. This attack surface amplifies token consumption up to 142.4x and increases latency, creating a severe denial-of-wallet risk.

CISO

Model Context Protocol (MCP): the layer that elevates a chatbot into an agent

This article provides a comprehensive risk catalog of MCP attack surfaces including supply chain threats and tool poisoning. It specifically addresses chaining abuse and transitive trust violations with compliance mapping.

Harden your tools now

The discovery of critical RCEs in both reference and downstream MCP implementations proves that isolation is no longer optional for agentic systems. Security teams must enforce privilege restrictions, timeouts, and cost controls for all MCP servers in production to prevent significant financial and technical compromise. Once those measures are in place, consider red teaming your AI stack to verify that these controls hold.