The same connectivity that provided Anthropic Model Context Protocol (MCP) the fastest-adopted AI integration standard in 2025 has created the most dangerous blind spot in enterprise cybersecurity.
The latest research conducted by Pynt quantifies the growing threat in a clear and unambiguous way. Their evaluation reveals a surprising network effect of vulnerabilities that increases as more MCP plug-ins are used. Deploying just ten MCP plugins creates a file Usage probability 92%.. There is a risk on three interconnected servers exceeds 50%. Even a single MCP plugin has a 9% probability of exploitation, and the threat increases exponentially with each addition.
The MCP security paradox is the cause of one of the most significant AI threats in enterprises
The MCP design temporary began with the laudable goal of solving the AI integration chaos. Anthropic decided to unify the way large language models (LLMs) connect with external tools and data sources, providing what every organization working with AI models and assets desperately needs: a universal interface for AI agents to access every part from APIs, cloud services, databases, and more.
The premiere of Anthropic was perfectly organized that MCP immediately gained popularity among many of the industry’s leading AI firms, including Google and Microsoft, which quickly adopted the standard. Now, lower than ten months after launch, they are here over 16,000 MCP servers were deployed this 12 months alone in Fortune 500 firms.
At the heart of the MCP security paradox lies its best strength, i.e frictionless connectivity AND ubiquitous integration with as little friction as possible. This aspect of the protocol is his best weakness. Security it was not built into the basic protocol design. Authentication stays optional. Authorization framework it appeared in updates just six months ago, a few months after the protocol was widely implemented. When combined, these two aspects rapidly fuel each other extensive attack surface where each latest connection multiplies the risk, creating network effect susceptibility.
“MCP ships with the same bug we’ve seen with every major rollout of the protocol: insecure defaults,” warns Merritt Baer, the company’s chief security officer Encrypt ai and advisor to firms including Andesite and AppOmini, told VentureBeat in a recent interview. “If we don’t implement authentication and least privilege from day one, we will spend the next decade recovering from breaches.”
Source: Pynt, Quantifying Risk Exposure in MCP Report 281
Defining compositional risk: How security breaks at scale
Pynt’s evaluation of 281 MCP servers provides the data needed for instance the mathematical principles at the core of composition risk.
According to their evaluation, 72% of MCPs provide sensitive capabilities that include dynamic code execution, file system access, and privileged API calls, while 13% accept untrusted inputs akin to web scraping, Slack messages, email, or RSS feeds. When these two risk aspects intersect, as they do in 9% of real-world MCP configurations, attackers gain direct paths to perform injections, command execution, and data exfiltration, often without the need for a single human consent. These are not hypothetical vulnerabilities; these are lively, measurable exploit paths hidden in on a regular basis MCP configurations.
“When you connect to an MCP server, you not only trust your own security, but you inherit the hygiene of every tool, every authentication, and every developer in the chain,” Baer warns. “It’s real-time supply chain risk.”
Source: Pynt, Quantifying Risk Exposure in MCP Report 281
The growing database of real-world exploits shows that MCP vulnerabilities are real
Security research teams from many of the industry’s leading firms proceed to work to discover real-world exploits that MCP is currently seeing in the wild, in addition to those of a theoretical nature. MCP continues to have an increased number of vulnerabilities in various scenarios, the most significant of which include:
CVE-2025-6514 (CVSS 9.6): The MCP-remote package, downloaded over 500,000 times, incorporates a critical vulnerability that might allow the execution of arbitrary operating system commands. “With this vulnerability, an attacker could execute arbitrary operating system commands on a computer running MCP remotely when it initiates a connection to an untrusted MCP server, resulting in a full system compromise,” it warns JFroga security team.
Backdoor MCP postmark: : Berth Safety discovered that postmark-mcp npm package was trojanized to provide attackers covert “God mode” access to AI workflows. In version 1.0.16, a malicious actor inserted a single line of code that silently BCCed every outgoing email to his domain (e.g., [email protected]), effectively extracting internal notes, invoices, and resetting passwords, all without triggering alerts. How Koi researchers as he puts it: “These MCP servers run with the same permissions as the AI assistants themselves – full email access, database connections, API permissions – and yet they don’t show up in any inventory, bypass vendor risk assessments, and bypass every security check, from DLP to email gateways.”
Idan Dardikman, co-founder and CTO at Koi Security, – he writes in his latest blog entry revealing how killer the postmark-mcp npm package is: “Let me clarify something: MCP servers are not like regular npm packages. They are tools designed specifically for AI assistants to use on their own.”
“If you are using Postmark-mcp version 1.0.16 or later, your security is at risk. Remove it immediately and replace any credentials that may have been exposed in the emails. But more importantly, audit every MCP server you use. Ask yourself: Do you really know who built these tools you trust everything to?” – writes Dardikman. He finishes post with solid advice: “Stay paranoid. In the case of MCP, paranoia is just common sense.”
CVE-2025-49596: : Oligo security disclosed a critical RCE vulnerability in Anthropic’s MCP Inspector, allowing browser-based attacks. “By executing code on a developer’s computer, attackers can steal data, install backdoors and move around the network,” explains security researcher Avi Lumelsky
Bit trail Line jumping attack.: : Scientists have shown how malicious MCP servers inject prompts via tool descriptions manipulate the behavior of artificial intelligence without direct triggering. “This vulnerability exploits the false assumption that humans provide a reliable layer of defense,“ – notes the team.
Additional vulnerabilities include fast injection attacks adopting AI behavior, (*10*)tool poisoningmanipulating server metadata, authentication weaknesses where tokens go through untrusted proxies and supply chain attacks via compromised npm packages.
First, it’s essential to design for an authentication vulnerability
Authentication and authorization were initially optional in MCP. The protocol prioritized interoperability over security, assuming firms would add their very own controls. They don’t have it. OAuth 2.0 the permit finally arrived in March 2025, perfected OAuth 2.1 until June. However, 1000’s of MCP servers deployed without authentication remain in production.
Academic research with Queen’s University analyzed 1,899 open source MCP servers and found that 7.2% contained general vulnerabilities and 5.5% exhibited MCP-specific tool poisoning. Gartner Survey (via IBM article on blurring human-machine identity) reveals that organizations deploy 45 cybersecurity tools but only effectively manage 44% of machine identities, meaning half of the identities in enterprise ecosystems could also be invisible and unmanaged.
What is at stake is defining a comprehensive MCP defense strategy
Defining a multi-layered MCP defense strategy helps close gaps left in the original protocol structure. The layers defined here are intended to mix architectural security and immediate operational measures to scale back the organization’s threat surface.
Layer 1: Start with the weakest area of MCP, authentication and access control
Improving authentication and access control starts with enforcement OAuth 2.1 for every MCP gateway across the organization. Gartner notes that enterprises implementing these measures report 48% fewer security vulnerabilities, 30% higher user adoption, and centralized monitoring of MCP servers. “MCP gateways act as primary security intermediaries.” I’m writing research company, providing unified server catalogs and real-time monitoring.
Layer 2: Why semantic layers matter in contextual security
Semantic layers are vital to offer greater context to each access decision, ensuring AI agents only work with standard, trusted and verifiable data. Deploying semantic layers helps reduce operational burden, improves natural language query accuracy, and provides real-time traceability to security leaders. VentureBeat sees that the practice of embedding security policies directly into data access contributes to reduced risk of breaches and safer agent analytics workflows.
Layer 3: Knowledge graphs are essential for visibility
By definition, knowledge graphs connect entities, analytical resources, and business processes, enabling AI agents to operate transparently and securely in an organizational context. Gartner emphasizes that this feature is critical for regulatory compliance, auditability, and trust, especially for complex queries and workflows. Merritt Baer emphasizes the urgency: “If you are using MCP today, you already need security. Guardrails, monitoring, and audit logs are not optional – they are the difference between innovation with and without risk mitigation,” advises Baer.
Recommended motion plan for security leaders
VentureBeat recommends that security leaders who have lively MCP-based integrations in their organizations take the following five preventive actions to secure their infrastructure:
-
Make implementing MCP gateways a practice by enforcing it first OAuth 2.1 AND OpenID connection while centralizing MCP server registration.
-
Define how your infrastructure can support a layered security architecture with semantic layers and knowledge graphs alongside gateways.
-
Turn performing regular MCP audits through threat modeling, continuous monitoring, and red-teaming into the muscle memory of your security teams so that it happens reflexively.
-
Limit your use of MCP plug-ins to only essential plug-ins – remember: 3 plugins = 52% risk, 10 plugins = 92% risk.
-
Invest in AI-based security as a separate risk category in your cybersecurity strategy.