MCP went from a convenient way to plug tools into agents to one of the most exposed surfaces in the AI stack — and this month the measurements made that concrete. Censys counted 12,520 Internet-accessible MCP services, most of them unauthenticated, while a separate study found that roughly 40% of remote servers expose their tools with no authentication at all. The vulnerability side was just as busy: VIPER-MCP swept about 40,000 server repositories and produced 67 CVEs, Akamai disclosed three database-MCP flaws (one left unpatched), and the NSA published its own design-considerations guidance for locking MCP down. Below is the month’s MCP security reading, sorted by category.
Total resources: 10
Category breakdown:
| Category | Count |
|---|---|
| Research | 3 |
| MCP vulnerabilities | 2 |
| MCP defense | 2 |
| Framework | 1 |
| Threat modelling | 1 |
| Training materials | 1 |
The first large-scale measurement of authentication on remote MCP servers found that roughly 40% expose their tools with no authentication at all. The work also surfaced nine CVEs traced back to broken OAuth flows.
Trend Micro’s follow-up scan counts 1,467 exposed MCP servers and reports CVSS 9.8 command-injection flaws in unofficial AWS and Azure MCP servers. The takeaway is that the exposure problem is no longer confined to local setups — it has reached the cloud.
Censys found 12,520 Internet-accessible MCP services, most of them unauthenticated. Many expose sensitive database-query and command-execution capabilities directly to anyone who connects.
Akamai disclosed SQL injection in the Apache Doris MCP server, an unauthenticated metadata-exfiltration flaw in Alibaba’s RDS MCP, and a potential takeover in Apache Pinot’s MCP. One of the three vendors declined to patch.
This write-up explains MCP tool poisoning (CVE-2025-54136): a third-party server’s boot-loaded tool metadata lands in the context window carrying prompt-level authority. That authority lets it inject instructions silently, with no user action required.
This proposal adds signed clearance assertions and deny-by-default allowlists so hosts can admit third-party MCP servers safely. Crucially, it works as an extension, without changing the underlying protocol.
MCPShield encodes MCP sessions as embedding-enriched graphs and runs a graph neural network over them to flag attacked sessions. It classifies tool-call traffic as benign or malicious at the session level.
VIPER-MCP is a combined static-and-dynamic framework for finding taint-style flaws in MCP servers. Run across roughly 40,000 server repositories, it uncovered 106 zero-day vulnerabilities and produced 67 CVEs.
This OWASP piece frames an agent’s persistent memory — along with its hooks and MCP configuration — as a first-class attack surface. Untrusted input that reaches any of these poisons the agent’s reasoning across future sessions.
Authoritative NSA guidance on MCP walks through its inverted client-server pattern, the risk of unverified task propagation between servers, and arbitrary-code-execution exposure. It is the closest thing to an official baseline for securing MCP deployments.
The single highest-impact move for MCP is the dullest one: put authentication in front of every remote MCP server and take the unauthenticated ones off the public Internet. The Censys and Trend Micro counts show most operators still have not done that. Audit which third-party MCP servers you boot-load, because the tool-poisoning CVE shows their metadata enters the context window with instruction-level authority before anyone reviews it. Treat agent memory and MCP configuration as untrusted input paths. And start planning how to inspect every exchange between the agent and MCP to catch anomalous behavior before damage occurs. The NSA guidance is a reasonable baseline to design against.
The AIRQ report scores 100 AI agents on attack surface, blast radius, and defenses. The AIRQ framework lets you assess your own stack. Read about the framework’s methodology and how ...
