Report Finds Agentic AI Protocol Vulnerable to Cyber Attacks

A new report from Backslash Security has identified significant security vulnerabilities in the Model Context Protocol (MCP), technology introduced by Anthropic in November 2024 to facilitate communication between AI agents and external tools.

MCP technology has gained industry traction as a way to standardize how AI agents interact and share context, which is crucial for building more sophisticated and collaborative AI systems within enterprises. With that traction, however, has come attention from threat actors. The Backslash Security report highlights two major flaws — dubbed "NeighborJack" and OS injection vulnerabilities — that compromise the integrity of MCP servers, potentially allowing unauthorized access and control over host systems.

"MCP NeighborJack" was the most common weakness Backlash discovered, with hundreds of cases found among the over 7,000 publicly accessible MCP servers it analyzed. The core problem is that these vulnerable MCP servers were explicitly bound to all network interfaces (0.0.0.0), making them "accessible to anyone on the same local network." This misconfiguration essentially exposes the MCP server to potential attackers within the local network, creating a significant point of entry for exploitation.

The second major category of vulnerability identified was "Excessive Permissions & OS Injection." Dozens of MCP servers were found to permit "arbitrary command execution on the host machine." This critical flaw can arise from various coding practices, such as "careless use of a subprocess, a lack of input sanitization, or security bugs like path traversal."

The real-world risk is severe. "The MCP server can access the host that runs the MCP and potentially allow a remote user to control your operating system," Backlash said in a blog post. This means an attacker could gain full control of the underlying machine hosting the MCP server. Backslash's research observed several MCP servers that tragically contained both the "NeighborJack" vulnerability and excessive permissions, creating "a critical toxic combination."

In such cases, "anyone on the same network can take full control of the host machine running the server," enabling malicious actors to "run any command, scrape memory, or impersonate tools used by AI agents."

MCP Server Security Hub

To directly address the identified vulnerabilities and the new attack surface presented by MCP servers, Backslash has established the MCP Server Security Hub, which among other things lists the highest-risk MCPs.

MCP Server Security Hub
[Click on image for larger view.] MCP Server Security Hub (source: Backslash Security).

This platform is the first publicly searchable security database dedicated to MCP servers, the company said. It provides a live, dynamically maintained, and searchable central database containing over 7,000 MCP server entries, with new entries added daily. The Hub's primary function is to score publicly available MCP servers based on their risk posture. Each entry offers detailed information on the security risks associated with a given MCP server, including malicious patterns, code weaknesses, detectable attack vectors, and information about the MCP server's origin. Backslash encourages anyone considering using an MCP server to first check it on the Hub to ensure its safety.

Recommendations

Unsurprisingly, Backslash Security's list of recommendations regarding the threat to MCP servers starts with utilizing the MCP Server Security Hub. Other advice includes:

  • Use the Vibe Coding Environment Self-Assessment Tool. To gain visibility into the vibe coding tools used by developers and continuously assess the risk posed by LLM models, MCP servers, and IDE AI rules, Backslash has launched a free self-assessment tool for vibe coding environments.

  • Validate Data Source for LLM Agents. It is recommended to validate the source of the data that your LLM agent is receiving to prevent potential data source poisoning.

For more information, go to the Backslash Security blog.

About the Author

David Ramel is an editor and writer at Converge 360.

Featured

  • horizontal stack of U.S. dollar bills breaking in half

    ED Abruptly Cancels ESSER Funding Extensions

    The Department of Education has moved to close the door on COVID relief funding for schools, declaring that "extending deadlines for COVID-related grants, which are in fact taxpayer funds, years after the COVID pandemic ended is not consistent with the Department’s priorities and thus not a worthwhile exercise of its discretion."

  • illustration of a human head with a glowing neural network in the brain, connected to tech icons on a cool blue-gray background

    Meta Introduces Stand-Alone AI App

    Meta Platforms has launched a stand-alone artificial intelligence app built on its proprietary Llama 4 model, intensifying the competitive race in generative AI alongside OpenAI, Google, Anthropic, and xAI.

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.

  • robot waving

    Copilot Updates Aim to Personalize AI

    Microsoft has introduced a range of updates to its Copilot platform, marking a new phase in its effort to deliver what it calls a "true AI companion" that adapts to individual users' needs, preferences and routines.