Hundreds of Model Context Protocol (MCP) servers around the world are open to abuse, with vulnerabilities that put vibe coders and their organization's sensitive assets at risk.
Introduced late last year, MCP servers are an easy-to-use extension of LLMs, thanks to the simplicity of their protocols, and have come into widespread use due to the broad availability of independently developed MCPs.
However, according to analysis from Backslash Security, around half of the 15,000-plus MCP servers in existence are dangerously misconfigured or carelessly built. The resulting vulnerabilities are in some cases catastrophic, the company warned.
They fall under two general headings. First is the MCP ‘NeighborJack’ vulnerability, whereby hundreds of MCP servers are explicitly bound to all network interfaces (0.0.0.0), making them accessible to anyone on the same local network.
This was the most common vulnerability found, with hundreds of cases discovered.
"Imagine you’re coding in a shared co-working space or café. Your MCP server is silently running on your machine," the researchers said.
"The person sitting near you, sipping their latte, can now access your MCP server, impersonate tools, and potentially run operations on your behalf."
Meanwhile, dozens of MCP servers allowed arbitrary command execution on the host machine thanks to careless use of a subprocess, a lack of input sanitization, or security bugs such as path traversal.
Most concerning of all, on several MCP servers both vulnerabilities were present, allowing bad actors to take full control of the host machine running the server.
Malicious actors that come across these MCP servers would have full access to run any command, scrape memory, or impersonate tools used by AI agents, Backslash said.
Meanwhile, beyond code execution, MCPs can serve as stealthy pathways for prompt injection and context poisoning, Backslash warned. Malicious or manipulated public content can change what an LLM sees - returning misleading data, or rerouting agent logic.
“Our research highlights several prevalent MCP server weaknesses that can open enterprise environments to threat vectors including remote code execution, data exposure, and network traversal,” said Yossi Pik, co-founder and CTO of Backslash Security.
More trouble on the way for MCP servers
In a yet-to-be-released finding, Backslash said it also identified an exploit path involving a seemingly benign public document that can trigger a cascading compromise, because the MCP silently connected it into the LLM agent’s logic without proper boundaries.
The issue here wasn’t a vulnerability in the MCP code itself, but rather in the configuration of the data source it accessed. Backslash said the issue affects a 'very popular' tool with tens of thousands of users and that it's currently working with the vendor to coordinate responsible disclosure.
The company has now launched a free self-assessment tool for vibe coding environments to help security teams gain visibility into the vibe coding tools being used in their organizations, continuously gauging the risk posed by large language models (LLMs), MCP servers, and IDE AI rules in use.
"It's critical to give developers and vibe coders the tools and guidance to safely navigate this emerging attack service, which is why we’ve created the MCP Server Security Hub," said Pik.
"Developers will continue to tap MCP servers' flexibility and utility, so we wanted to give the community a safer means of doing so."
MORE FROM ITPRO
- The NCSC wants developers to get serious on software security
- Shifting left might improve software security, but developers are becoming overwhelmed
- Software security debt is spiraling out of control
-
Cyber skills shortages are pushing organizations into risky shortcutsNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Seagate and Acronis are teaming up to drive MSP storage capabilitiesNews Acronis will incorporate Seagate’s Lyve Cloud Object Storage into its archival storage offerings to help MSPs meet AI-driven data demands
-
UK government programmers trialed AI coding assistants from Microsoft, GitHub, and Google – here's what they foundNews Developers participating in a trial of AI coding tools from Google, Microsoft, and GitHub reported big time savings, with 58% saying they now couldn't work without them.
-
Senior developers are all in on vibe coding, but junior staff lack the experience to spot critical flawsNews Experienced developers are far more confident in using AI-generated code
-
Hexaware partners with Replit to take secure 'vibe coding' to the enterpriseNews The new collaboration enables business teams to create secure, production-grade applications without the need for traditional coding skills
-
Microsoft says AI is finally having a 'meaningful impact' on developer productivity – and 80% 'would be sad if they could no longer use it'News Researchers at Microsoft wanted to demystify how AI is being used by software developers – their findings show the benefits are finally becoming clear.
-
Google's new Jules coding agent is free to use for anyone – and it just got a big update to prevent bad code outputNews Jules came out of beta and launched publicly earlier this month, but it's already had a big update aimed at improving code quality and safety.
-
Using an older version of Python? You’re leaving ‘money and performance on the table’ if you don’t upgrade – and missing out on big developer efficiency gains
News New research from JetBrains shows a majority of enterprises are using a version of Python that’s a year or more older – and it's having a big impact on efficiency and performance.
-
Developers say AI can code better than most humans – but there's a catchNews A new survey suggests AI coding tools are catching up on human capabilities
-
84% of software developers are now using AI, but nearly half 'don't trust' the technology over accuracy concernsNews AI coding tools are delivering benefits for developers, but they’re still worried about security and compliance
