Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Breaking AI News

MCP's 'By Design' Flaw Puts 200K AI Servers at Risk

OX Security found an architectural RCE flaw in Anthropic's MCP affecting 150M+ downloads. Anthropic says it's 'by design', leaving enterprises to self-manage.

Enterprise DNA | | via The Register
MCP's 'By Design' Flaw Puts 200K AI Servers at Risk

If your team uses Cursor, Claude Code, VS Code with AI extensions, or Gemini-CLI, you need to read this.

Security researchers at OX Security disclosed this week that Anthropic’s Model Context Protocol, the open standard that connects AI agents to external tools and data sources, contains a systemic architectural vulnerability that could allow attackers to execute arbitrary code on any connected system. The vulnerability affects an estimated 150 million downloads and leaves up to 200,000 servers exposed.

What makes this particularly unusual: Anthropic confirmed the behavior is intentional. The company says the STDIO execution model at the heart of MCP is a secure default, and that input sanitization is the developer’s responsibility. There is no patch coming.

What Is MCP and Why Does This Matter

MCP, short for Model Context Protocol, is the plumbing that lets AI agents connect to external systems: databases, APIs, file systems, code editors, and more. Anthropic created it as an open standard, and it has become the default integration layer for the agentic AI ecosystem. If you are building AI workflows that touch real business data or systems, there is a high probability MCP is involved.

That ubiquity is exactly what makes this disclosure so consequential. A flaw in MCP is not a flaw in one product. It is a flaw in the infrastructure shared across the entire agentic AI industry.

What OX Security Found

The OX Security team describes the core problem as “execute first, validate never.” MCP’s STDIO transport layer, used by virtually every client and server implementation, passes commands without sanitization before execution. A malicious or compromised MCP server can inject commands that execute silently, with no user confirmation required.

The vulnerability runs deep because it is baked into Anthropic’s official SDKs across every supported programming language: Python, TypeScript, Java, and Rust. Any tool built on these SDKs inherits the exposure.

Researchers identified the following tools as directly affected:

  • Cursor - the AI-powered code editor used widely in enterprise engineering teams
  • VS Code - with AI/MCP extensions enabled
  • Windsurf - assigned CVE-2026-30615, the only tool where exploitation requires zero user interaction
  • Claude Code - Anthropic’s own CLI agent
  • Gemini-CLI - Google’s command-line AI agent

The Windsurf vulnerability is the most severe. Exploitation requires no clicks, no prompts, no permissions dialog. An attacker with access to a malicious MCP server can silently compromise the developer’s machine.

The Supply Chain Attack Surface

What elevates this from a standard vulnerability to a supply chain risk is how MCP servers are distributed. Developers install MCP servers much like they install npm packages, pulling them from public registries with varying levels of vetting. A threat actor who publishes a convincing-looking MCP server (say, a “Jira connector” or “Slack integration”) can use it as a delivery vehicle to execute code on every developer machine that installs it.

The researchers warned that attackers could use this pathway to exfiltrate API keys, access internal databases, steal chat histories, and establish persistent backdoors, all without triggering standard endpoint security controls, because the execution looks like normal AI agent activity.

This is not a hypothetical. OX Security also published a separate advisory on the same week documenting real-world RCE vulnerabilities across multiple MCP server implementations in the ecosystem.

Anthropic’s Response

Anthropic reviewed the findings and declined to modify the protocol. The company’s position is that STDIO is a secure transport mechanism by design and that developers building on MCP are responsible for sanitizing inputs at the application layer.

OX Security disagrees. Researchers argue that when a protocol’s official SDKs execute commands without any built-in validation layer, the protocol itself is the wrong place to load the security burden onto developers, most of whom are building MCP integrations without a deep security background.

The practical result: there is no central fix on the way. Each developer, each team, and each vendor building on MCP must address this in their own implementation.

What This Means for Business

If your organisation is using AI coding tools or building agentic AI workflows, here is what to do now.

Audit your MCP server inventory. Know exactly which MCP servers your team has installed. Treat each one with the same scrutiny as a third-party npm dependency. If it connects to sensitive systems and you cannot verify the source, remove it.

Restrict MCP to trusted, internal sources. Where possible, build and maintain your own MCP servers rather than pulling from public registries. If you must use third-party servers, pin versions and monitor for unexpected updates.

Treat AI agent activity as privileged. Standard endpoint security tools may not flag suspicious commands if they originate from an AI agent. Update your monitoring rules to treat unusual MCP-initiated system calls as suspicious.

Talk to your AI vendor. If you are using a managed AI platform, whether that is Anthropic’s enterprise products, Microsoft Copilot, or a third-party agent platform, ask them directly: how are they validating inputs at the MCP layer?

The broader lesson here is one that Enterprise DNA has been raising with business clients for the past year: moving fast with AI is valuable, but the governance layer cannot be an afterthought. The same architecture that makes MCP so powerful, its openness and its ability to connect AI to anything, is also what makes it a high-value attack surface.

Agentic AI is production-ready. The security posture around it still has significant ground to cover.


If this is the kind of problem agents can help with, the free Working With Claude field guide is the practical next step. Thirty-two pages, no fluff. Get the free guide.

Working With Claude field guide cover

Free Resource

Going deeper with Claude?

Get the free 32-page implementation guide for ANZ teams.

No spam. Unsubscribe any time.