Widespread Misconfiguration Undermines AI Security
As reported by Dark Reading, while artificial intelligence continues its rapid expansion into enterprise workflows, one of its supporting technologies, the Model Context Protocol (MCP) server, is showing serious signs of growing pains. Introduced by Anthropic less than a year ago, MCP enables AI models to integrate with external data sources in a flexible and modular way. Since then, nearly 2,000 MCP servers have been deployed across the Internet. But in their rush to adopt, many developers have overlooked a fundamental element: security.
A recent investigation by cybersecurity firm Knostic discovered 1,862 MCP servers accessible on the public internet. While not all were tested, initial findings showed that many of these servers respond to unauthenticated requests, offering a clear path for malicious actors to explore and potentially exploit sensitive backend systems.
Research Reveals Complete Lack of Access Controls
To assess the scale of the problem, Knostic researchers scanned the Internet and then tested a sample of 119 MCP servers by sending them a standard “tools/list” request, a call that asks the server to enumerate all executable functions. All 119 responded without any form of verification, exposing internal tools and data integrations to the public. From database connectors to cloud management tools and business-specific functions, everything was readily accessible.
The results confirmed that these MCP deployments had bypassed even basic cybersecurity hygiene. In addition to exposing technical tools, some servers revealed systems used for managing car repair operations, tracking train schedules, facilitating team communications, or accessing legal research databases. In many cases, it was impossible to determine whether the data was intended for public use or had been carelessly exposed.
These exposed MCP endpoints pose significant risks, enabling attackers to potentially invoke listed tools to exfiltrate sensitive data, such as API keys, customer records, or internal communications. More destructive scenarios are also possible: malicious actors could issue commands to manipulate systems or intentionally drain resources in a denial-of-wallet (DoW) attack, driving up operational costs for the victims.
The accessibility of MCP and its out-of-the-box ease of use may be contributing to these security lapses. Unlike earlier cloud technologies that required technical expertise and security planning from the outset, MCP enables even non-security professionals to rapidly deploy AI-integrated infrastructure, often without understanding or prioritizing risk.
An Ecosystem Still Finding Its Footing
MCP’s specifications leave security as an optional feature rather than a requirement. While newer versions of the specification offer more robust guidance for implementing authentication and access controls, these remain discretionary. Developers deploying MCP should prioritize reviewing and implementing authentication and access control mechanisms, focusing on security from the start.
The current state of MCP deployment reflects an AI ecosystem still in its infancy, where convenience often outpaces caution. But integrating security earlier in the development lifecycle doesn’t have to slow down innovation. Modern organizations must learn to embed security into fast-moving teams, shifting security left without compromising speed. It’s exactly this kind of proactive approach that helps prevent unsecured MCP servers and other emerging technology risks.
