Anthropic MCP Architectural Design Flaw: Zero-Click RCE Across 150M+ Downloads via Windsurf IDE
Date: 2026-04-25
Tags: malicious-tool, apt
Executive Summary
OX Security researchers uncovered an architectural RCE vulnerability in Anthropic's Model Context Protocol: Windsurf (CVE-2026-30615) was the only IDE where exploitation required zero user interaction, allowing remote attackers to execute arbitrary commands via prompt injection. The vulnerability ripples through 150M+ downloads and up to 200,000 vulnerable instances across Cursor, VS Code, Claude Code, and Gemini-CLI.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Anthropic MCP Architectural Design Vulnerability |
| Attribution | Vulnerability class; demonstrated by OX Security researchers (confidence: none) |
| Target | AI coding tools (Cursor, Windsurf, VS Code, Claude Code, Gemini-CLI); developers using MCP integrations |
| Vector | STDIO-based command execution via MCP configuration; zero-click prompt injection in Windsurf |
| Status | active |
| First Observed | 2026-04-15 |
Detailed Findings
Anthropic's Model Context Protocol gives a direct configuration-to-command execution via their STDIO interface; in practice it actually lets anyone run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed. Researchers identified four distinct families of exploitation: unauthenticated UI injection in popular AI frameworks; hardening bypasses in 'protected' environments like Flowise; zero-click prompt injection in leading AI IDEs (Windsurf, Cursor); and malicious marketplace distribution (9 out of 11 MCP registries were successfully 'poisoned' with a malicious trial balloon).
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploitation for Privilege Escalation | T1548.004 | Arbitrary OS command execution via STDIO MCP configuration |
| Prompt Injection | T1597.002 | Zero-click indirect prompt injection in Windsurf IDE via HTML content |
| Supply Chain Compromise | T1195.001 | Malicious MCP packages distributed via 9/11 poisoned registries |
IOCs
Domains
_Vulnerability is architectural, not isolated to single implementation; affects all Anthropic SDKs (Python, TypeScript, Java, Rust)_
Full URL Paths
_Vulnerability is architectural, not isolated to single implementation; affects all Anthropic SDKs (Python, TypeScript, Java, Rust)_
Splunk Format
_No IOCs available for Splunk query_
Detection Recommendations
Immediately audit all MCP STDIO configurations in .claude/settings.json and MCP marketplace repositories for suspicious commands; implement manifest-only execution or command allowlist in client applications (Cursor, Windsurf, VS Code); scan for MCP registries and plugins downloaded after April 15, 2026; monitor for 'config.patch' parameters and unauthenticated MCP connection attempts; deploy zero-trust execution model for all MCP tools with explicit user confirmation before any system command execution.
References
- [OX Security] The Mother of All AI Supply Chains: Critical, Systemic Vulnerability at the Core of Anthropic's MCP (2026-04-16) — https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/
- [The Hacker News] Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain (2026-04-22) — https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html
- [The Register] MCP 'design flaw' puts 200k servers at risk: Researcher (2026-04-16) — https://www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/