The same connectivity that made <a href="https://www.anthropic.com/news/model-context-protocol">Anthropic&#x27;s Model Context Protocol (MCP)</a> the fastest-adopted AI integration standard in 2025 has created enterprise cybersecurity&#x27;s most dangerous blind spot. <a href="https://www.pynt.io/resources-hub/mcp-security-research-2025">Recent research from Pynt</a> quantifies the growing threat in clear, unambiguous terms. Their analysis exposes the startling network effect of vulnerabilities that escalate the more MCP plugins are used. Deploying just ten MCP plugins creates a <a href="https://www.pynt.io/">92% probability of exploitation</a>. At three interconnected servers, risk <a href="https://www.pynt.io/resources-hub/mcp-security-research-2025">exceeds 50%</a>. Even a single MCP plugin presents a 9% exploit probability, and the threat compounds exponentially with each addition.<h2>MCPs&#x27; security paradox is driving one of the enterprises&#x27; most significant AI risks</h2>The design premise for MCP began with a commendable goal of solving AI&#x27;s integration chaos. Anthropic chose to standardize how large language models (LLMs) connect to external tools and data sources, delivering what every organization working with AI models and resources desperately needed: a universal interface for AI agents to access everything from APIs, cloud services, databases, and more. <a href="https://www.anthropic.com/news/model-context-protocol">Anthropic&#x27;s launch was so well orchestrated</a> that MCP immediately gained traction with many of the leading AI companies in the industry, including Google and Microsoft, who both quickly adopted the standard. Now, a short ten months after the launch, there are <a href="https://mcp.so/">over 16,000 MCP servers deployed</a> across Fortune 500 companies this year alone.At the core of MCP&#x27;s security paradox is its greatest strength, which is <a href="https://zenity.io/blog/current-events/model-context-protocol">frictionless connectivity</a> and <a href="https://www.catonetworks.com/blog/cato-ctrl-exploiting-model-context-protocol-mcp/">pervasive integration </a>with as little friction as possible. That aspect of the protocol is its <a href="https://blog.sshh.io/p/everything-wrong-with-mcp">greatest weakness</a>. <a href="https://blog.sshh.io/p/everything-wrong-with-mcp">Security</a> wasn&#x27;t built into the protocol&#x27;s core design. <a href="https://adversa.ai/mcp-security-top-25-mcp-vulnerabilities/">Authentication</a> remains optional. <a href="https://www.speakeasy.com/mcp/release-notes">Authorization frameworks</a> arrived just six months ago in updates, months after the protocol had seen widespread deployments. Combined, these two factors are fueling a quickly <a href="https://arxiv.org/html/2508.12538v1">sprawling attack surface</a> where every new connection multiplies risk, creating a <a href="https://adversa.ai/mcp-security-top-25-mcp-vulnerabilities/">network effect</a> of vulnerabilities.&quot;MCP is shipping with the same mistake we&#x27;ve seen in every major protocol rollout: insecure defaults,&quot; warns Merritt Baer, Chief Security Officer at <a href="https://www.enkryptai.com/">Enkrypt AI</a> and advisor to companies including Andesite and AppOmni told VentureBeat in a recent interview. &quot;If we don&#x27;t build authentication and least privilege in from day one, we&#x27;ll be cleaning up breaches for the next decade.&quot;Source: Pynt, Quantifying Risk Exposure Across 281 MCPs Report <h2>Defining Compositional Risk: How security breaks at scale</h2><a href="https://www.pynt.io/resources-hub/mcp-security-research-2025">Pynt&#x27;s analysis</a> of 281 MCP servers provides the data needed to illustrate the mathematical principles that are core to compositional risk. According to their analysis, 72% of MCPs expose sensitive capabilities that include dynamic code execution, file system access, and privileged API calls, while 13% accept untrusted inputs like web scraping, Slack messages, email, or RSS feeds. When these two risk factors intersect, as they do in 9% of real-world MCP setups, attackers gain direct pathways to prompt injections, command execution, and data exfiltration, often without a single human approval required. These aren&#x27;t hypothetical vulnerabilities; they&#x27;re live, measurable exploit paths hidden within everyday MCP configurations.&quot;When you plug into an MCP server, you&#x27;re not just trusting your own security, you&#x27;re inheriting the hygiene of every tool, every credential, every developer in that chain,&quot; Baer warns. &quot;That&#x27;s a supply chain risk in real time.&quot;Source: Pynt, Quantifying Risk Exposure Across 281 MCPs Report <h2>A growing base of real-world exploits shows that MCP&#x27;s vulnerabilities are real </h2>Security research teams from many of the industry&#x27;s leading companies continue their work to identify real-world exploits that MCP is currently seeing in the wild, in addition to those that are theoretical in nature. The MCP protocol continues to show increased vulnerabilities in different scenarios, with the main ones including the following: <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-6514">CVE-2025-6514</a> (CVSS 9.6): The MCP-remote package, downloaded over 500,000 times, carries a critical vulnerability allowing arbitrary OS command execution. &quot;The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running MCP-remote when it initiates a connection to an untrusted MCP server, launching a full system compromise,&quot; warns <a href="https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability/">JFrog&#x27;s</a> security team.<a href="https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft">The Postmark MCP Backdoor</a>: <a href="https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft">Koi Security</a> uncovered that the <a href="https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft">postmark-mcp npm package</a> had been trojanized to grant attackers implicit &quot;god-mode&quot; access within AI workflows. In version 1.0.16, the malicious actor inserted a single line of code that silently BCC&#x27;d every outbound email to their domain (e.g., phan@giftshop.club), effectively exfiltrating internal memos, invoices, and password resets, all without raising alerts. As<a href="https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft"> Koi researchers</a> put it: &quot;These MCP servers run with the same privileges as the AI assistants themselves — full email access, database connections, API permissions — yet they don&#x27;t appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways.&quot; Idan Dardikman, co-founder and CTO at Koi Security, <a href="https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft">writes in a recent blog post</a> exposing just how lethal the postmark-mcp npm package is, &quot;Let me be really clear about something: MCP servers aren&#x27;t like regular npm packages. These are tools specifically designed for AI assistants to use autonomously.&quot;&quot;If you&#x27;re using postmark-mcp version 1.0.16 or later, you&#x27;re compromised. Remove it immediately and rotate any credentials that may have been exposed through email. But more importantly, audit every MCP server you&#x27;re using. Ask yourself: Do you actually know who built these tools you&#x27;re trusting with everything? &quot; Dardikman writes. He ends the <a href="https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft">post</a> with solid advice: &quot;Stay paranoid. With MCPs, paranoia is just good sense.&quot;<a href="https://nvd.nist.gov/vuln/detail/CVE-2025-49596">CVE-2025-49596</a>: <a href="https://www.oligo.security/">Oligo Security</a> exposed a critical RCE vulnerability in Anthropic&#x27;s MCP Inspector, enabling browser-based attacks. &quot;With code execution on a developer&#x27;s machine, attackers can steal data, install backdoors, and move laterally across networks,&quot; explains Avi Lumelsky, security researcher <a href="https://www.trailofbits.com/">Trail of Bits&#x27;</a> <a href="https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/">&quot;Line Jumping&quot; Attack</a>: Researchers demonstrated how malicious <a href="https://securelist.com/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks/117473/">MCP servers</a> inject prompts through <a href="https://adversa.ai/mcp-security-top-25-mcp-vulnerabilities/">tool descriptions</a> to manipulate AI behavior without ever being explicitly invoked. &quot;This vulnerability exploits the faulty assumption that humans provide a reliable defense layer,&quot; the team notes.Additional vulnerabilities include <a href="https://www.securityweek.com/top-25-mcp-vulnerabilities-reveal-how-ai-agents-can-be-exploited/?utm_source=chatgpt.com">prompt injection attacks</a> hijacking AI behavior, <a href="https://securelist.com/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks/117473/?utm_source=chatgpt.com">tool poisoning</a>, manipulating server metadata, <a href="https://www.esentire.com/blog/how-identity-centric-attacks-are-threatening-mid-market-organizations?utm_source=chatgpt.com">authentication weaknesses</a> where tokens pass through untrusted proxies, and <a href="https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem?utm_source=chatgpt.com">supply chain attacks through compromised npm packages</a>.<h2>The authentication gap needs to be designed out first </h2>Authentication and authorization were initially optional in MCP. The protocol prioritized interoperability over security, assuming enterprises would add their own controls. They haven&#x27;t. <a href="https://oauth.net/2/">OAuth 2.0</a> authorization finally arrived in March 2025, refined to <a href="https://oauth.net/2.1/">OAuth 2.1</a> by June. But thousands of MCP servers deployed without authentication remain in production. Academic research from <a href="https://arxiv.org/html/2506.13538v2?utm_source=chatgpt.com">Queen&#x27;s University</a> analyzed 1,899 open-source MCP servers and found 7.2% contain general vulnerabilities and 5.5% exhibit MCP-specific tool poisoning. <a href="https://arxiv.org/html/2503.18255v1?utm_source=chatgpt.com">Gartner&#x27;s survey (via IBM&#x27;s Human–Machine Identity Blur paper)</a> reveals organizations deploy 45 cybersecurity tools but effectively manage only 44% of machine identities, meaning half the identities in enterprise ecosystems could be invisible and unmanaged.<h2>Defining a comprehensive MCP defense strategy is table stakes</h2>Defining a multilayer MCP defense strategy helps to close the gaps left in the original protocol&#x27;s structure. The layers defined here look to bring together architectural safeguards and immediate operational measures to reduce an organization&#x27;s threat surface.<h3>Layer 1: Start with the weakest area of MCP which is authentication and access controls </h3>Improving authentication and access controls needs to start with enforcing <a href="https://oauth.net/2.1/">OAuth 2.1</a> for each MCP gateway across an organization. <a href="https://www.gartner.com/en/documents/6907866">Gartner</a> notes that enterprises enforcing these measures report 48% fewer vulnerabilities, 30% better user adoption, and centralized MCP server monitoring. &quot;MCP gateways serve as essential security intermediaries,&quot; <a href="https://www.gartner.com/en/documents/6387843">writes</a> the research firm, by providing unified server catalogs and real-time monitoring. <h3>Layer 2: Why semantic layers matter in contextual security</h3>Semantic layers are essential for bringing greater context to each access decision, ensuring AI agents work only with standardized, trusted, and verifiable data. Deploying semantic layers helps reduce operational overhead, improves natural language query accuracy, and delivers the real-time traceability security leaders need. VentureBeat is seeing the practice of embedding security policies directly into data access contribute to reduced breach risks and more secure agentic analytics workflows.<h3>Layer 3: Knowledge graphs are essential for visibility</h3>By definition, knowledge graphs connect entities, analytics assets, and business processes, enabling AI agents to operate transparently and securely within an organizational context. Gartner highlights this capability as critical for regulatory compliance, auditability, and trust, especially in complex queries and workflows. Merritt Baer underscores the urgency: &quot;If you&#x27;re using MCP today, you already need security. Guardrails, monitoring, and audit logs aren&#x27;t optional — they&#x27;re the difference between innovation with and without risk mitigation,&quot; advises Baer. <h2>Recommended action plan for security leaders</h2>VentureBeat recommends security leaders who have MCP-based integrations active in their organizations take the following five precautionary actions to secure their infrastructure: <ol><li>Make it a practice of implementing MCP Gateways by first enforcing <a href="https://oauth.net/2.1/">OAuth 2.1</a> and <a href="https://openid.net/connect/">OpenID Connect</a> while centralizing MCP server registration. </li><li>Define how your infrastructure can support a layered security architecture with semantic layers and knowledge graphs alongside gateways.</li><li>Turn the activity of conducting regular MCP audits through threat modeling, continuous monitoring, and red-teaming into the muscle memory of your security teams, so it&#x27;s done by reflex.</li><li>Limit MCP plugin usage to essential plugins only—remember: <a href="https://www.pynt.io/blog/llm-security-blogs/state-of-mcp-security">3 plugins = 52% risk, 10 plugins = 92% risk</a>.</li><li>Invest in AI-specific security as a distinct risk category within your cybersecurity strategy.</li></ol>

تكشف الأبحاث الحديثة أن بروتوكول سياق النموذج (MCP)، الذي أصبح معيار تكامل الذكاء الاصطناعي الأكثر اعتمادًا في عام 2025، لديه احتمال استغلال يبلغ 92%، مما يبرز نقطة عمياء كبيرة في الأمن السيبراني للمؤسسات. هذه الإحصائية المقلقة من Pynt تؤكد الحاجة الملحة للمنظمات لإعادة تقييم تدابيرها الأمنية، حيث أن التكنولوجيا المصممة لتعزيز الاتصال قد تعرضها أيضًا لثغرات غير مسبوقة. فهم هذه المخاطر أمر بالغ الأهمية للشركات لحماية بياناتها والحفاظ على الثقة في أنظمة الذكاء الاصطناعي.

Una investigación reciente revela que el Protocolo de Contexto de Modelo (MCP), que se convirtió en el estándar de integración de IA más adoptado en 2025, tiene una probabilidad de explotación del 92%, destacando un punto ciego significativo en la ciberseguridad empresarial. Esta alarmante estadística de Pynt subraya la necesidad urgente de que las organizaciones reevaluen sus medidas de seguridad, ya que la misma tecnología diseñada para mejorar la conectividad puede exponerlas a vulnerabilidades sin precedentes. Comprender estos riesgos es crucial para que las empresas protejan sus datos y mantengan la confianza en los sistemas de IA.

Une recherche récente révèle que le Protocole de Contexte de Modèle (MCP), devenu le standard d'intégration de l'IA le plus rapidement adopté en 2025, présente une probabilité d'exploitation de 92 %, mettant en lumière un point aveugle significatif dans la cybersécurité des entreprises. Cette statistique alarmante de Pynt souligne l'urgence pour les organisations de réévaluer leurs mesures de sécurité, car la technologie conçue pour améliorer la connectivité peut également les exposer à des vulnérabilités sans précédent. Comprendre ces risques est crucial pour les entreprises afin de protéger leurs données et de maintenir la confiance dans les systèmes d'IA.

Recent research reveals that the Model Context Protocol (MCP), which became the fastest-adopted AI integration standard in 2025, has a staggering 92% exploit probability, highlighting a significant blind spot in enterprise cybersecurity. This alarming statistic from Pynt underscores the urgent need for organizations to reassess their security measures, as the very technology designed to enhance connectivity may also expose them to unprecedented vulnerabilities. Understanding these risks is crucial for businesses to protect their data and maintain trust in AI systems.

MCP stacks have a 92% exploit probability: How 10 plugins became enterprise security's biggest blind spot

Was this article worth reading? Share it