What Happened
In early 2025, security researchers at Knostic discovered 1,862 Model Context Protocol (MCP) servers exposed to the public internet without any authentication controls. These servers allowed unauthorized access to internal systems, databases, and file operations.
Two vulnerabilities underscored the problem:
EchoLeak (CVE-2025-32711): Attackers could inject malicious prompts into MCP servers, causing AI agents to exfiltrate sensitive data through seemingly legitimate queries.
mcp-remote (CVE-2025-6514): A package downloaded over 437,000 times contained a vulnerability allowing remote code execution. Organizations using this component unknowingly inherited the risk.
This situation wasn't due to sophisticated attacks but rather a lack of basic authentication, treating AI agents as trusted users instead of potential threats.
Timeline
Pre-2025: Organizations deploy MCP servers to connect AI agents like Claude and ChatGPT to internal tools, databases, and APIs, often following vendor guides that prioritize functionality over security.
January 2025: Knostic's scan identifies 1,862 publicly accessible MCP servers without authentication.
February 2025: EchoLeak and mcp-remote vulnerabilities are disclosed, revealing the lack of basic access controls in AI infrastructure.
Current state: Organizations are scrambling to inventory AI deployments and implement authentication, often finding they lack knowledge of their MCP server landscape.
Which Controls Failed or Were Missing
No Authentication Layer
MCP servers accepted connections from any source without verifying identity, violating the fundamental security principle of access control.
No Authorization Boundaries
Even with authentication, these servers lacked authorization controls, allowing clients unrestricted access to resources.
No Network Segmentation
MCP servers were not isolated in secure network segments, exposing internal resources when compromised.
Missing Input Validation
The EchoLeak vulnerability exploited inadequate prompt filtering, allowing attackers to manipulate AI agents.
No Monitoring or Logging
Organizations couldn't detect anomalies because MCP servers didn't log access attempts or data interactions.
What the Standards Require
ISO 27001 Control 9.4.1 — Information Access Restriction
Access must be restricted based on business needs. AI agents should not have unrestricted database access.
NIST Cybersecurity Framework v2.0 — PR.AC-4
Access permissions should incorporate least privilege and separation of duties. MCP server connections must authenticate clients and enforce minimal access.
OWASP ASVS v4.0.3 — Requirement 4.1.1
Access control rules must be enforced on a trusted service layer, not relying on client-side controls.
NIST 800-53 Rev 5 — AC-3: Access Enforcement
Information systems must enforce authorization before allowing access to resources.
Lessons and Action Items for Your Team
1. Inventory Your AI Infrastructure Today
Identify every MCP server, its access capabilities, connected AI agents, and deployment details. This helps uncover unauthorized deployments.
2. Implement Authentication Before Anything Else
Stop all unauthenticated MCP access. Use API keys, mTLS certificates, and OAuth 2.0 flows. Replace vulnerable implementations.
3. Apply Least Privilege to Every Agent Connection
Restrict each AI agent's access based on its business function. Use service accounts with explicit permissions.
4. Segment AI Infrastructure
Isolate MCP servers in secure network segments with strict firewall rules and logging of all connection attempts.
5. Validate All Inputs to AI Agents
Filter prompts to block harmful instructions and sanitize inputs. Log suspicious patterns.
6. Enable Comprehensive Logging
Log all MCP server interactions and ship logs to your SIEM. Alert on unusual access patterns.
7. Test Your AI Attack Surface
Include MCP servers in penetration tests to ensure robust authentication and authorization.
8. Establish an AI Security Review Process
Before deploying AI agents, document access needs, define privilege levels, implement controls, and conduct security testing.
The exposure of MCP servers was due to a lack of basic security controls. The rapid spread of insecure patterns highlights the need to prioritize security over speed. Treat AI agents as applications, requiring authentication, enforcing least privilege, monitoring access, and testing for vulnerabilities. These principles apply to all infrastructure, including AI systems. Secure your AI infrastructure to prevent unauthorized access.
