Hundreds of Model Context Protocol (MCP) servers around the world are open to abuse, with vulnerabilities that put vibe coders and their organization's sensitive assets at risk.
Introduced late last year, MCP servers are an easy-to-use extension of LLMs, thanks to the simplicity of their protocols, and have come into widespread use due to the broad availability of independently developed MCPs.
However, according to analysis from Backslash Security, around half of the 15,000-plus MCP servers in existence are dangerously misconfigured or carelessly built. The resulting vulnerabilities are in some cases catastrophic, the company warned.
They fall under two general headings. First is the MCP ‘NeighborJack’ vulnerability, whereby hundreds of MCP servers are explicitly bound to all network interfaces (0.0.0.0), making them accessible to anyone on the same local network.
This was the most common vulnerability found, with hundreds of cases discovered.
"Imagine you’re coding in a shared co-working space or café. Your MCP server is silently running on your machine," the researchers said.
"The person sitting near you, sipping their latte, can now access your MCP server, impersonate tools, and potentially run operations on your behalf."
Meanwhile, dozens of MCP servers allowed arbitrary command execution on the host machine thanks to careless use of a subprocess, a lack of input sanitization, or security bugs such as path traversal.
Most concerning of all, on several MCP servers both vulnerabilities were present, allowing bad actors to take full control of the host machine running the server.
Malicious actors that come across these MCP servers would have full access to run any command, scrape memory, or impersonate tools used by AI agents, Backslash said.
Meanwhile, beyond code execution, MCPs can serve as stealthy pathways for prompt injection and context poisoning, Backslash warned. Malicious or manipulated public content can change what an LLM sees - returning misleading data, or rerouting agent logic.
“Our research highlights several prevalent MCP server weaknesses that can open enterprise environments to threat vectors including remote code execution, data exposure, and network traversal,” said Yossi Pik, co-founder and CTO of Backslash Security.
More trouble on the way for MCP servers
In a yet-to-be-released finding, Backslash said it also identified an exploit path involving a seemingly benign public document that can trigger a cascading compromise, because the MCP silently connected it into the LLM agent’s logic without proper boundaries.
The issue here wasn’t a vulnerability in the MCP code itself, but rather in the configuration of the data source it accessed. Backslash said the issue affects a 'very popular' tool with tens of thousands of users and that it's currently working with the vendor to coordinate responsible disclosure.
The company has now launched a free self-assessment tool for vibe coding environments to help security teams gain visibility into the vibe coding tools being used in their organizations, continuously gauging the risk posed by large language models (LLMs), MCP servers, and IDE AI rules in use.
"It's critical to give developers and vibe coders the tools and guidance to safely navigate this emerging attack service, which is why we’ve created the MCP Server Security Hub," said Pik.
"Developers will continue to tap MCP servers' flexibility and utility, so we wanted to give the community a safer means of doing so."
MORE FROM ITPRO
- The NCSC wants developers to get serious on software security
- Shifting left might improve software security, but developers are becoming overwhelmed
- Software security debt is spiraling out of control
-
The NCSC wants you to start using password managers and passkeysNews New guidance from the NCSC recommends using passkeys and password managers – but how can you choose the best option? ITPro has you covered.
-
North Korean IT workers: The growing threatIn-depth As fake IT worker schemes plague firms in the US and Europe, what can leaders do to protect their organizations?
-
AI-generated code is in vogue: Developers are now packing codebases with automated code – but they’re overlooking security and leaving enterprises open to huge risksNews While AI-generated code is helping to streamline operations for developer teams, many are overlooking crucial security considerations.
-
Mistral targets security-conscious developers with new AI coding assistantThe coding assistant, available now in private preview, will be fully customizable
-
Big tech promised developers productivity gains with AI tools – now they’re being rendered obsoleteOpinion Big tech promised software developers huge benefits with AI tools, but now they face job cuts as companies ramp up automation.
-
Shifting left might improve software security, but developers are becoming overwhelmed – communication barriers, tool sprawl, and ‘vulnerability overload’ are causing serious headaches for development teamsNews Developers are becoming overwhelmed amid the 'shift left' in development practices, new research shows.
-
Anthropic’s new AI model could be a game changer for developers: Claude Opus 4 ‘pushes the boundaries in coding’, dramatically outperforms OpenAI’s GPT-4.1, and can code independently for seven hoursNews Claude Opus 4 boasts huge performance capabilities and is fine-tuned for software developers.
-
‘It’s far from showing its age’: Java might’ve just turned 30, but it’s still going strong and here to stayNews With Java celebrating its 30th anniversary, we look at the rise of the programming language and what the future holds.
-
Python’s popularity shows no signs of fading – here’s why software developers love itNews Python remains highly popular among developers for a number of key reasons, experts told ITPro.
-
The NCSC wants developers to get serious on software securityNews The NCSC's new Software Security Code of Practice has been welcomed by cyber professionals as a positive step toward bolstering software supply chain security.
