The same connectivity that made Anthropic's Model Context Protocol (MCP) the fastest-adopted AI integration standard in 2025 has created enterprise cybersecurity's most dangerous blind spot.
Recent research from Pynt quantifies the growing threat in clear, unambiguous terms. Their analysis exposes the startling network effect of vulnerabilities that escalate the more MCP plugins are used. Deploying just ten MCP plugins creates a 92% probability of exploitation. At three interconnected servers, risk exceeds 50%. Even a single MCP plugin presents a 9% exploit probability, and the threat compounds exponentially with each addition.
MCPs' security paradox is driving one of the enterprises' most significant AI risks
The design premise for MCP began with a commendable goal of solving AI's integration chaos. Anthropic chose to standardize how large language models (LLMs) connect to external tools and data sources, delivering what every organization working with AI models and resources desperately needed: a universal interface for AI agents to access everything from APIs, cloud services, databases, and more.
Anthropic's launch was so well orchestrated that MCP immediately gained traction with many of the leading AI companies in the industry, including Google and Microsoft, who both quickly adopted the standard. Now, a short ten months after the launch, there are over 16,000 MCP servers deployed across Fortune 500 companies this year alone.
At the core of MCP's security paradox is its greatest strength, which is frictionless connectivity and pervasive integration with as little friction as possible. That aspect of the protocol is its greatest weakness. Security wasn't built into the protocol's core design. Authentication remains optional. Authorization frameworks arrived just six months ago in updates, months after the protocol had seen widespread deployments. Combined, these two factors are fueling a quickly sprawling attack surface where every new connection multiplies risk, creating a network effect of vulnerabilities.
"MCP is shipping with the same mistake we've seen in every major protocol rollout: insecure defaults," warns Merritt Baer, Chief Security Officer at Enkrypt AI and advisor to companies including Andesite told VentureBeat in a recent interview. "If we don't build authentication and least privilege in from day one, we'll be cleaning up breaches for the next decade."
Source: Pynt, Quantifying Risk Exposure Across 281 MCPs Report
Defining Compositional Risk: How security breaks at scale
Pynt's analysis of 281 MCP servers provides the data needed to illustrate the mathematical principles that are core to compositional risk.
According to their analysis, 72% of MCPs expose sensitive capabilities that include dynamic code execution, file system access, and privileged API calls, while 13% accept untrusted inputs like web scraping, Slack messages, email, or RSS feeds. When these two risk factors intersect, as they do in 9% of real-world MCP setups, attackers gain direct pathways to prompt injections, command execution, and data exfiltration, often without a single human approval required. These aren't hypothetical vulnerabilities; they're live, measurable exploit paths hidden within everyday MCP configurations.
"When you plug into an MCP server, you're not just trusting your own security, you're inheriting the hygiene of every tool, every credential, every developer in that chain," Baer warns. "That's a supply chain risk in real time."
Source: Pynt, Quantifying Risk Exposure Across 281 MCPs Report
A growing base of real-world exploits shows that MCP's vulnerabilities are real
Security research teams from many of the industry's leading companies continue their work to identify real-world exploits that MCP is currently seeing in the wild, in addition to those that are theoretical in nature. The MCP protocol continues to show increased vulnerabilities in different scenarios, with the main ones including the following:
CVE-2025-6514 (CVSS 9.6): The MCP-remote package, downloaded over 500,000 times, carries a critical vulnerability allowing arbitrary OS command execution. "The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running MCP-remote when it initiates a connection to an untrusted MCP server, launching a full system compromise," warns JFrog's security team.
The Postmark MCP Backdoor: Koi Security uncovered that the postmark-mcp npm package had been trojanized to grant attackers implicit "god-mode" access within AI workflows. In version 1.0.16, the malicious actor inserted a single line of code that silently BCC'd every outbound email to their domain (e.g., phan@giftshop.club), effectively exfiltrating internal memos, invoices, and password resets, all without raising alerts. As Koi researchers put it: "These MCP servers run with the same privileges as the AI assistants themselves — full email access, database connections, API permissions — yet they don't appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways."
Idan Dardikman, co-founder and CTO at Koi Security, writes in a recent blog post exposing just how lethal the postmark-mcp npm package is, "Let me be really clear about something: MCP servers aren't like regular npm packages. These are tools specifically designed for AI assistants to use autonomously."
"If you're using postmark-mcp version 1.0.16 or later, you're compromised. Remove it immediately and rotate any credentials that may have been exposed through email. But more importantly, audit every MCP server you're using. Ask yourself: Do you actually know who built these tools you're trusting with everything? " Dardikman writes. He ends the post with solid advice: "Stay paranoid. With MCPs, paranoia is just good sense."
CVE-2025-49596: Oligo Security exposed a critical RCE vulnerability in Anthropic's MCP Inspector, enabling browser-based attacks. "With code execution on a developer's machine, attackers can steal data, install backdoors, and move laterally across networks," explains Avi Lumelsky, security researcher
Trail of Bits' "Line Jumping" Attack: Researchers demonstrated how malicious MCP servers inject prompts through tool descriptions to manipulate AI behavior without ever being explicitly invoked. "This vulnerability exploits the faulty assumption that humans provide a reliable defense layer," the team notes.
Additional vulnerabilities include prompt injection attacks hijacking AI behavior, tool poisoning, manipulating server metadata, authentication weaknesses where tokens pass through untrusted proxies, and supply chain attacks through compromised npm packages.
The authentication gap needs to be designed out first
Authentication and authorization were initially optional in MCP. The protocol prioritized interoperability over security, assuming enterprises would add their own controls. They haven't. OAuth 2.0 authorization finally arrived in March 2025, refined to OAuth 2.1 by June. But thousands of MCP servers deployed without authentication remain in production.
Academic research from Queen's University analyzed 1,899 open-source MCP servers and found 7.2% contain general vulnerabilities and 5.5% exhibit MCP-specific tool poisoning. Gartner's survey (via IBM's Human–Machine Identity Blur paper) reveals organizations deploy 45 cybersecurity tools but effectively manage only 44% of machine identities, meaning half the identities in enterprise ecosystems could be invisible and unmanaged.
Defining a comprehensive MCP defense strategy is table stakes
Defining a multilayer MCP defense strategy helps to close the gaps left in the original protocol's structure. The layers defined here look to bring together architectural safeguards and immediate operational measures to reduce an organization's threat surface.
Layer 1: Start with the weakest area of MCP which is authentication and access controls
Improving authentication and access controls needs to start with enforcing OAuth 2.1 for each MCP gateway across an organization. Gartner notes that enterprises enforcing these measures report 48% fewer vulnerabilities, 30% better user adoption, and centralized MCP server monitoring. "MCP gateways serve as essential security intermediaries," writes the research firm, by providing unified server catalogs and real-time monitoring.
Layer 2: Why semantic layers matter in contextual security
Semantic layers are essential for bringing greater context to each access decision, ensuring AI agents work only with standardized, trusted, and verifiable data. Deploying semantic layers helps reduce operational overhead, improves natural language query accuracy, and delivers the real-time traceability security leaders need. VentureBeat is seeing the practice of embedding security policies directly into data access contribute to reduced breach risks and more secure agentic analytics workflows.
Layer 3: Knowledge graphs are essential for visibility
By definition, knowledge graphs connect entities, analytics assets, and business processes, enabling AI agents to operate transparently and securely within an organizational context. Gartner highlights this capability as critical for regulatory compliance, auditability, and trust, especially in complex queries and workflows. Merritt Baer underscores the urgency: "If you're using MCP today, you already need security. Guardrails, monitoring, and audit logs aren't optional — they're the difference between innovation with and without risk mitigation," advises Baer.
Recommended action plan for security leaders
VentureBeat recommends security leaders who have MCP-based integrations active in their organizations take the following five precautionary actions to secure their infrastructure:
Make it a practice of implementing MCP Gateways by first enforcing OAuth 2.1 and OpenID Connect while centralizing MCP server registration.
Define how your infrastructure can support a layered security architecture with semantic layers and knowledge graphs alongside gateways.
Turn the activity of conducting regular MCP audits through threat modeling, continuous monitoring, and red-teaming into the muscle memory of your security teams, so it's done by reflex.
Limit MCP plugin usage to essential plugins only—remember: 3 plugins = 52% risk, 10 plugins = 92% risk.
Invest in AI-specific security as a distinct risk category within your cybersecurity strategy.
