MCP Infrastructure Security Audit: 43% of Servers Vulnerable to Command Execution; Widespread Configuration Failures Across Production Deployments
Date: 2026-04-18
Tags: malicious-tool
Executive Summary
A practitioner's analysis published in April 2026 exposes systemic security flaws in the infrastructure underpinning the rapidly expanding agentic AI landscape. 43% of public servers are vulnerable to command execution, 36.7% of 7,000+ servers are vulnerable to SSRF, 492 servers are exposed to the internet with zero authentication, and 53% of servers use static credentials.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | MCP Infrastructure Security Crisis |
| Attribution | Unknown (confidence: none) |
| Target | Organizations running Model Context Protocol (MCP) servers in production environments; AI agent deployments across enterprises |
| Vector | Insecure MCP server configuration; credential exposure; overprivileged capabilities; authentication bypass |
| Status | active |
| First Observed | 2026-04-01 |
Detailed Findings
The security crisis is three overlapping attack surfaces: Tool Poisoning embeds malicious instructions in tool descriptions—metadata the LLM reads when deciding which tool to call, and the poisoned tool doesn't need to be called; its description gets injected into the context window when the agent connects. Researchers demonstrated this on Cursor, where a poisoned tool description caused an agent to read the user's ~/.cursor/mcp.json and SSH keys, then exfiltrate them. When multiple MCP servers connect to the same agent, all tool descriptions coexist in one LLM context with no isolation. A malicious server can inject descriptions that override trusted servers' tools. Researchers successfully redirected all emails to attacker-controlled addresses even when users specified different recipients. The author concludes that the agentic AI ecosystem is growing faster than anyone can secure it, and we need to build security into the protocol, not bolt it on afterward.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| T1566 | T1566.002 | Phishing—tool poisoning embeds malicious instructions in tool metadata that LLM agents process |
| T1190 | T1190 | Exploit Public-Facing Application—SSRF vulnerabilities in 36.7% of MCP servers enable cloud metadata access |
| T1078 | T1078.001 | Valid Accounts—492 servers exposed with zero authentication; 53% use static credentials vulnerable to credential harvesting |
IOCs
Domains
_No specific IOCs published in source. Audit based on public server enumeration and security posture analysis._
Full URL Paths
_No specific IOCs published in source. Audit based on public server enumeration and security posture analysis._
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
MCP servers (multiple vendors)Detection Recommendations
Credential Isolation: Never store credentials in mcp.json files; use environment variables or secure secret managers. Continuous Monitoring: Log every tool call, context injection, and LLM instruction for anomaly detection. Organizations should conduct security audits of all connected MCP servers, disable unnecessary capabilities, implement network-level isolation between MCP servers, enforce authentication on all MCP endpoints, scan tool descriptions for prompt injection payloads, and maintain an inventory of all agent-connected MCP servers with security posture scoring.
References
- [Gentic News] MCP Security Crisis: 43% of Servers Vulnerable, 341 Malicious Skills Found (2026-04-13) — https://gentic.news/article/mcp-security-crisis-43-of-servers
- [Practical DevSecOps] MCP Server Vulnerabilities 2026 - Prevent Prompt Injection Attacks (2026-01-04) — https://www.practical-devsecops.com/mcp-security-vulnerabilities/
- [Adversa AI] Top MCP security resources — April 2026 (2026-04-15) — https://adversa.ai/blog/top-mcp-security-resources-april-2026/