The Model Context Protocol (MCP) continues to face mounting security concerns that show no signs of fading. When vulnerabilities were first highlighted last October, early research already pointed to serious risks. Findings from Pynt indicated that installing just 10 MCP plug-ins results in a 92% likelihood of exploitation, with even a single plug-in introducing measurable exposure.
The emergence of Clawdbot significantly altered the threat landscape. The fast-growing personal AI assistant — capable of managing inboxes and generating code autonomously — operates entirely on MCP. Developers who deployed Clawdbot on virtual private servers without reviewing security documentation may have unintentionally exposed their organizations to the protocol’s full attack surface.
(The project rebranded from Clawdbot to Moltbot on January 27 after Anthropic issued a trademark request over the similarity to “Claude.”)
Security entrepreneur Itamar Golan anticipated this trajectory. After selling Prompt Security to SentinelOne for an estimated $250 million last year, he issued a public warning on X this week: “Disaster is coming. Thousands of Clawdbots are live right now on VPSs … with open ports to the internet … and zero authentication. This is going to get ugly.”
Subsequent internet scans by Knostic reinforced those concerns. Researchers identified 1,862 MCP servers publicly accessible without authentication. Out of 119 servers tested, every single one responded without requesting credentials.
The implication is straightforward: any function automated by Clawdbot can potentially be repurposed by attackers.
Recent vulnerabilities are not isolated anomalies — they stem from fundamental design choices within MCP. Three major CVEs illustrate this pattern:
- CVE-2025-49596 (CVSS 9.4): Anthropic’s MCP Inspector enabled unauthenticated communication between its web interface and proxy server, making full system compromise possible through a malicious webpage.
- CVE-2025-6514 (CVSS 9.6): A command injection flaw in mcp-remote — an OAuth proxy downloaded 437,000 times — allowed system takeover when connected to a malicious MCP server.
- CVE-2025-52882 (CVSS 8.8): Widely used Claude Code extensions exposed unauthenticated WebSocket servers, permitting arbitrary file access and remote code execution.
Three high-severity vulnerabilities within six months, each exploiting different attack vectors, all trace back to the same core issue: authentication in MCP was optional, and many developers treated optional controls as unnecessary.
Further analysis by Equixly found systemic weaknesses across popular MCP implementations. Their review revealed that 43% contained command injection flaws, 30% allowed unrestricted URL fetching, and 22% exposed files beyond intended directories.
Forrester analyst Jeff Pollard summarized the concern in a blog post: “From a security perspective, it looks like a very effective way to drop a new and very powerful actor into your environment with zero guardrails.”
The risk is substantial. An MCP server with shell access can enable lateral movement, credential harvesting, and ransomware deployment — all triggered through prompt injection hidden wi
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: