MCP Under Fire: 6 Attacks, 0 SIEM Alerts — Why Your AI Agents Are the New Attack Surface + Video

Listen to this Post

Featured Image

Introduction:

The Model Context Protocol (MCP) is rapidly becoming the connective tissue between AI agents and the tools they use — enabling LLMs like Claude to read files, query databases, and interact with APIs in real time. But with adoption surging, so too are the incidents. A single malicious MCP server in a developer’s toolchain can now exfiltrate secrets from every project they work on. And here’s the kicker: traditional SIEM alerts are completely blind to these attacks. This article dissects six documented MCP security incidents, breaks down the technical root causes, and provides actionable defense strategies for securing this new trusted execution layer.

Learning Objectives:

  • Understand the attack vectors unique to MCP ecosystems, including tool poisoning, supply chain compromise, and OAuth-based remote code execution.
  • Learn to identify and mitigate critical vulnerabilities such as CVE-2025-6514 (CVSS 9.6) and CVE-2025-6515.
  • Implement practical hardening measures across Linux, Windows, and cloud environments to defend MCP servers and AI agents.
  1. The Six Incidents: A Wake-Up Call for AI Security

The six documented incidents share a common thread: developer environments were the target, and the AI agent’s trust in tool outputs became the attack vector. Traditional endpoint and network monitoring failed to detect any of them.

Incident 1: The Fake Postmark npm Package — Attackers published a malicious npm package impersonating Postmark. It sent emails normally but silently BCC’d every outgoing message to the attacker’s address. This is a classic software supply chain attack, amplified by the fact that AI agents often automatically install and trust npm packages based on configuration files.

Incident 2: AI Agent + Support Ticket Exploitation — An AI agent read a support ticket, queried production databases based on the ticket’s content, and then posted sensitive integration tokens back into the same public support thread. This demonstrates indirect prompt injection: the attacker didn’t talk to the AI directly; they poisoned the context the AI relied on.

Incident 3: The mcp-remote Catastrophe (CVE-2025-6514) — This one deserves its own deep dive.

  1. CVE-2025-6514: When a Trusted OAuth Proxy Becomes an RCE Nightmare

The `mcp-remote` npm package — with over 437,000 downloads and referenced in official vendor documentation — contained a critical command injection vulnerability. Tracked as CVE-2025-6514 with a CVSS score of 9.6, it allows attackers to execute arbitrary operating system commands during the OAuth handshake.

Technical Breakdown:

The vulnerability resides in the `sanitizeUrl` function within utils.ts. When `mcp-remote` connects to a remote MCP server, it exchanges OAuth metadata. A malicious server can craft the `authorization_endpoint` response:

{
"authorization_endpoint": "file:/c:/windows/system32/cmd.exe"
}

On Windows, `mcp-remote` uses the `open` npm package to launch this URL, which triggers PowerShell or cmd.exe execution with full parameter control. On macOS and Linux, the impact is more limited but still enables arbitrary binary execution.

Step-by-Step Exploitation:

  1. Attacker sets up a malicious MCP server with a crafted `authorization_endpoint` pointing to a system executable or a malicious binary.
  2. Victim configures their LLM host (e.g., Claude Desktop) to connect to this server using mcp-remote.
  3. OAuth handshake begins — `mcp-remote` fetches the metadata and processes the poisoned URL.
  4. Command injection occurs — the system executes the attacker-specified file.

Mitigation:

  • Immediately update `mcp-remote` to version 0.1.16 or higher.
  • Only connect to trusted MCP servers using HTTPS connections.
  • Review access policies for all MCP infrastructure.

Verification Command (Linux/macOS):

npm list mcp-remote
 If version < 0.1.16, update immediately:
npm update mcp-remote

Verification Command (Windows PowerShell):

npm list mcp-remote
npm update mcp-remote
  1. Tool Poisoning: When the Attack Is the Contract Itself

OWASP’s MCP Top 10 identifies Tool Poisoning (MCP03:2025) as a critical risk. Unlike traditional code exploits, tool poisoning doesn’t attack a bug — it changes the contract so legitimate agents behave incorrectly while passing superficial validation.

Real-World Example: The GitHub MCP server was exploited to access private repositories via tool poisoning. An attacker modified the tool schema definition, tricking the AI agent into executing operations with elevated privileges.

Step-by-Step Defense:

  1. Implement schema validation — Treat every tool definition as untrusted input. Validate all schemas against a known-good baseline before allowing agent execution.
  2. Apply the principle of least privilege — Scope every tool to the minimum necessary permissions. Separate read and write tool categories; require explicit approval for write operations in sensitive contexts.
  3. Use signed tool manifests — Tools like `mcp-server-attestation` provide Ed25519-signed tool manifests and runtime spawn-attestation.
  4. Default-deny argument sanitization — Reject any tool arguments that don’t match expected patterns.

Linux Command to Audit MCP Tools:

 Find all MCP server configurations
find ~ -1ame "mcpconfig" -o -1ame "claude_desktop_config" 2>/dev/null

Inspect tool definitions for suspicious patterns
grep -r "authorization_endpoint|file://|cmd.exe|powershell" ~/.config/ 2>/dev/null

Windows PowerShell Command:

Get-ChildItem -Path $env:USERPROFILE -Recurse -Include "mcpconfig" -ErrorAction SilentlyContinue
Select-String -Path "$env:USERPROFILE.config\" -Pattern "authorization_endpoint|file://|cmd.exe|powershell"

4. Cross-Server Privilege Escalation: The Domain of Compromise

Nearly 2,000 MCP servers exposed to the web today are totally bereft of authentication or access controls. This creates a perfect storm for cross-server privilege escalation — an attacker compromising one MCP server can pivot to others in the same trust boundary.

The Attack Chain:

  1. Attacker compromises a low-privilege MCP server (e.g., via tool poisoning or supply chain attack).
  2. The compromised server is trusted by the AI agent and has access to other internal MCP servers.
  3. Attacker uses the agent’s trust to escalate privileges and exfiltrate data from higher-value targets.

Step-by-Step Hardening:

  1. Never expose MCP over the public internet without mTLS or equivalent.
  2. Containerize MCP servers and run them outside your corporate network. Use Docker or Podman with strict network isolation.
  3. Run MCP servers as non-root — they should never have root or administrator privileges.
  4. Implement network segmentation — MCP servers should only communicate with authorized clients via allowlisted IPs and ports.
  5. Use mTLS for all inter-MCP communication — this ensures both client and server authenticate each other.

Docker Hardening Example:

 Dockerfile for secure MCP server
FROM node:20-alpine
RUN addgroup -g 1000 -S mcp && adduser -u 1000 -S mcp -G mcp
USER mcp
WORKDIR /app
COPY package.json ./
RUN npm ci --only=production
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]

Run Command:

docker run -d \
--1ame mcp-server \
--1etwork mcp-1etwork \
--read-only \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
-p 127.0.0.1:3000:3000 \
mcp-server:secure
  1. MCP Governance and Hardening: Building a Security Program

Most AppSec programs cover APIs, containers, CI/CD, and cloud infrastructure. But do they cover the MCP servers your developers installed last month?

Step-by-Step Governance Framework:

  1. Conduct a tool inventory review before every production deployment. Maintain a machine-readable checklist (JSON/YAML) integrated into CI/CD pipelines.
  2. Log every tool invocation with originating session context. This is non-1egotiable for incident response.
  3. Set rate limits on both the MCP server and any downstream APIs it calls.
  4. Rotate credentials used by MCP servers on a defined schedule.
  5. Monitor for behavioral anomalies: unusual tool chains, high-frequency calls, and off-hours access.
  6. Treat agent sessions as untrusted by default — validate intent, not just auth tokens.

Linux Audit Command for MCP Activity:

 Monitor MCP server logs in real-time
tail -f /var/log/mcp-server/.log | grep -E "ERROR|WARN|tool_invocation"

Check for unusual outbound connections from MCP processes
sudo netstat -tunap | grep -i mcp

Windows PowerShell Audit:

 Get MCP-related processes
Get-Process | Where-Object { $_.ProcessName -match "mcp|node" }

Check network connections
netstat -ano | findstr "mcp"

6. The Rise of Prompt Hijacking (CVE-2025-6515)

JFrog Security Research discovered CVE-2025-6515 in the `oatpp-mcp` framework — an MCP implementation that generates guessable session IDs. This enables a technique dubbed “Prompt Hijacking” — session-level attacks that manipulate AI behavior indirectly without tampering with the model itself.

Attack Flow:

  1. Attacker guesses or intercepts an MCP session ID.
  2. Attacker injects malicious prompts into the session context.
  3. The AI agent, trusting the session context, executes attacker-controlled commands.

Mitigation:

  • Use cryptographically secure random session IDs (minimum 128 bits of entropy).
  • Implement session binding — tie each session to a specific client certificate or IP address.
  • Rotate session IDs after each sensitive operation.

What Undercode Say:

  • Key Takeaway 1: MCP is not just another API — it’s a trusted execution layer where AI agents execute code based on external inputs. Traditional security tooling (SIEM, EDR, WAF) is blind to these interactions because they happen at the application logic layer, not the network or host layer.

  • Key Takeaway 2: The attack surface is expanding faster than defenses can adapt. With nearly 2,000 MCP servers exposed without authentication and vulnerabilities like CVE-2025-6514 achieving CVSS 9.6, organizations must treat MCP security as a first-class concern — not an afterthought.

  • Key Takeaway 3: The skills gap is real. Most security teams don’t know how to audit, harden, or monitor MCP deployments. Hands-on training like the Certified MCP Security Expert (CMCPSE) course is emerging as a critical capability builder. The course covers tool poisoning labs, OAuth 2.1 hardening, MCP red-teaming, and shadow server detection — exactly what’s needed to defend this new frontier.

Prediction:

  • +1 MCP will become the de facto standard for AI-tool integration within 18 months, driving a new wave of innovation in AI-powered development and automation. This will create massive opportunities for security professionals who specialize in this domain.

  • -1 The rapid adoption of MCP without corresponding security maturity will lead to a major breach involving an AI agent exfiltrating sensitive data from a Fortune 500 company within the next 12 months — a breach that traditional security controls will fail to detect until it’s too late.

  • +1 The emergence of MCP-specific security frameworks (OWASP MCP Top 10, CMCPSE certification, and vendor-specific hardening guides) will mature the ecosystem, eventually making MCP security as standardized as API security is today.

  • -1 Until then, every organization deploying MCP servers is running an experiment in trust — trusting that AI agents won’t be manipulated, that npm packages aren’t poisoned, and that OAuth handshakes aren’t hiding RCE. The six incidents documented here are just the beginning.

  • +1 The security community’s response — from GitHub security advisories to Docker’s MCP security guides to the CMCPSE certification — demonstrates that the ecosystem is learning fast. The question isn’t whether MCP will be secured; it’s whether your organization will be prepared when the next zero-day hits.

▶️ Related Video (72% Match):

https://www.youtube.com/watch?v=0M_KZxAIjDo

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Sachinshreyashkar Cmcpse – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky