Model Context Protocol (MCP) servers have rapidly become a cornerstone of modern AI infrastructure, enabling large language models (LLMs) and other AI agents to access, process, and act on external data and tools in real time. As organizations embrace MCP to unlock smarter automation and richer integrations, a parallel surge in security incidents has revealed a host of critical vulnerabilities. This blog explores the most pressing security risks facing MCP servers, real-world exploits, and best practices for mitigation—backed by the latest research and industry reports.

What Makes MCP Servers a Security Target?

MCP servers act as bridges between AI models and the outside world, exposing APIs that allow models to fetch data, execute commands, and trigger workflows. This powerful capability is also their Achilles’ heel: a single misconfiguration or overlooked vulnerability can grant attackers wide-reaching access to sensitive systems, data, and user accounts.
Common Security Vulnerabilities in MCP Servers

Command Injection: A significant proportion of MCP server implementations are vulnerable to command injection attacks. Poor input validation allows attackers to append malicious commands to legitimate requests, potentially leading to unauthorized system access, data destruction, or full server compromise. Recent studies found that over 40% of public MCP servers tested were susceptible to such flaws. (Read more)

Example: An attacker could exploit an image conversion tool by injecting shell commands into the file path parameter, causing the server to leak sensitive files or execute arbitrary code.

Token Theft and Credential Leaks: MCP servers often store OAuth tokens or API credentials to access third-party services on behalf of users. If these tokens are kept in plaintext or are insufficiently protected, a single breach can expose all connected accounts. Attackers who gain access to an MCP server can extract tokens from memory or configuration files, enabling them to impersonate users and access email, cloud storage, or other sensitive resources. (Read More)

Prompt Injection and Tool Poisoning: Prompt injection is a subtle yet dangerous attack vector unique to LLM-powered systems. Malicious actors can embed hidden instructions in tool descriptions or user inputs, causing the AI model to execute unintended actions. Tool poisoning further amplifies this risk, where seemingly benign tools are updated or replaced with malicious versions that steal data or sabotage workflows. (Read More)

Notably: 43% of tested MCP implementations were found to allow prompt injection or tool poisoning, often due to lax input validation and lack of version control. (Read More)

Server Spoofing and Rogue Servers: Because MCP servers are easy to deploy and advertise, attackers can create rogue servers that mimic legitimate ones. These imposters can intercept API calls, harvest sensitive data, or serve malicious payloads. Without robust authentication and server verification, clients may unwittingly connect to these malicious endpoints. (Read More)

Cross-Server Attacks and Shadowing: In environments where multiple MCP servers interact, a compromised server can override or intercept requests meant for trusted peers. This “cross-server shadowing” enables attackers to manipulate communications, inject malicious commands, or exfiltrate data across the network.

Over-Permissioned Tokens and Excessive Privileges: Many MCP servers are configured with broad access rights, violating the principle of least privilege. When tokens with excessive permissions are compromised, attackers gain unfettered access to multiple services and data sources, amplifying the impact of a breach.

Insecure Context Serialization and Path Traversal: Weak input validation during context serialization can allow attackers to inject malformed or malicious data, leading to data corruption or unauthorized access. Path traversal vulnerabilities—present in about 22% of tested MCP servers—enable attackers to read files outside intended directories, exposing configuration files, secrets, or other sensitive assets.

Remote Code Execution (RCE) and Supply Chain Risks: A recent high-profile vulnerability (CVE-2025-6514) in the popular mcp-remote project allowed attackers to achieve full remote code execution (RCE) on client machines by connecting to a malicious MCP server. This exploit highlights the dangers of insecure server-client protocols and the need for rigorous supply chain security.

Real-World Incidents and Their Impact

• Asana Restores MCP Server After Fixing Data Leak
  Asana has patched a flaw in its Model Context Protocol (MCP) server that could have exposed customer data across organizations. The experimental feature is now back online after two weeks of downtime.
• Asana Admits MCP Bug Risked Cross-Org Data Exposure
  Asana has warned users that a vulnerability in its MCP implementation may have led to unintentional data leaks between customer accounts. The issue affected early adopters of its AI-powered functionality.
• AgentSmith Bug in LangSmith Prompt Hub Exposed Sensitive Data
  LangSmith’s Prompt Hub suffered a major CVSS 8.8 vulnerability dubbed “AgentSmith,” which exposed API keys and enabled manipulation of LLM responses. The flaw has now been patched.
• Visual Studio Code Release Delayed for AI & MCP Enhancements
  Microsoft delayed the May 2025 release of VS Code (v1.101) by a week to incorporate key updates to its AI features and Model Context Protocol (MCP) capabilities. The update is now live.
• ‘EchoLeak’ Zero-Click Vulnerability Hits Microsoft 365 Copilot
  Aim Security uncovered “EchoLeak,” a zero-click vulnerability in Microsoft 365 Copilot. By exploiting flaws common in Retrieval-Augmented Generation (RAG) systems, attackers could silently extract user data without any user interaction.
• U.S. AI Strategy Plans Leaked via GitHub
  A staging site hosting the Trump administration’s whole-government AI plans briefly appeared on GitHub before being removed. However, backup copies of the repository were captured before its takedown.
• GitHub’s MCP Protocol Hit by Prompt Injection Vulnerability
  A newly discovered prompt injection flaw in GitHub’s official Model Context Protocol (MCP) server could allow unauthorized access and manipulation of AI coding assistant behaviors across repositories. (Read More)

Why Are These Vulnerabilities So Prevalent?

• Rapid Adoption, Rushed Deployments: The explosive growth of MCP has outpaced the development of secure deployment practices, leading to widespread misconfigurations and overlooked risks.
• Complex Trust Boundaries: MCP servers often act on behalf of users, blurring the lines of authentication and authorization. Without strict controls, the “confused deputy” problem can allow privilege escalation and unauthorized actions.
• Insufficient Auditing and Monitoring: Many MCP deployments lack robust logging, version control, or monitoring, making it difficult to detect or respond to attacks in real time.
  Mitigation Strategies: Securing Your MCP Servers
• Enforce Strong Authentication and Authorization: Require mutual TLS, OAuth, and strict permission scopes for all MCP endpoints. Regularly audit token permissions and revoke unnecessary access.
• Implement Input Validation and Output Encoding: Rigorously validate all user and tool inputs to prevent command injection, path traversal, and serialization attacks.
• Monitor and Control Tool Updates: Use version pinning, signed tool manifests, and update notifications to detect and prevent malicious tool changes.
• Harden Server Deployments: Apply secure coding practices, regular patching, and server hardening. Limit network exposure and avoid running MCP servers with excessive privileges.
• Adopt Zero Trust Architecture: Treat every MCP server and client as potentially hostile. Minimize implicit trust, segment networks, and monitor all interactions for anomalies.
• Supply Chain Security: Only use MCP servers and tools from trusted sources. Verify signatures, scan dependencies, and use secure build pipelines.
• Comprehensive Logging and Monitoring: Enable robust logging of all actions, including tool invocations and data access. Integrate with SIEM solutions for real-time threat detection.
• Comprehensive Logging and Monitoring: Enable robust logging of all actions, including tool invocations and data access. Integrate with SIEM solutions for real-time threat detection.

Conclusion

As MCP servers become integral to AI systems, their growing adoption has exposed critical security vulnerabilities—from command injection and token theft to prompt poisoning and rogue server attacks. These risks stem from rushed deployments, weak input validation, and over-permissioned configurations. Real-world incidents have shown how easily sensitive data can be compromised. To safeguard AI ecosystems, organizations must enforce strong authentication, adopt zero-trust principles, and monitor tool updates rigorously. Securing MCP servers is essential to ensure trust, resilience, and safe innovation in AI infrastructure.

References

https://www.infosecurity-magazine.com/news/mcp-servers-risk-rce-data-leaks/
https://equixly.com/blog/2025/03/29/mcp-server-new-security-nightmare/

Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients

https://www.pomerium.com/blog/june-2025-mcp-content-round-up