Hi Folks,
The NSA just posted what many have been waiting for, i.e. a report detailing all the problems with MCP and what people should do if and when they implement the protocol.
Here is a brief summary:
Overview . MCP is the de facto standard for AI-driven service communication, used in business, finance, legal, and software development . Originally released by Anthropic in November 2024, its security model has not kept pace with its rapid adoption . The protocol reverses traditional client-server interaction, creating new attack paths
Key Security Concerns . Access control is optional and left to implementors, with many deployments lacking authentication or role-based permissions . Serialized data transmissions lack strict validation, opening paths for code injection . Approval workflows are inconsistent; trusted servers can change capabilities without user notification . Bearer tokens and session IDs are used optionally, with no mandated lifecycle management for expiration or revocation . Open source availability allows rapid deployment without proper security understanding . Implementations vary widely, creating unpredictable and exploitable behavior gaps . Audit logging is minimal or absent in many deployments . Servers are vulnerable to denial-of-service via prompt storms or recursive task requests
Real-World Exploits Documented . Unsanitized tool parameters allowed arbitrary command execution in open source MCP agents . Tool naming collisions allowed malicious code to override legitimate functionality . GitHub MCP granted blanket repository access, enabling data exfiltration to public repos . A malicious MCP server silently exfiltrated WhatsApp message data . Downstream agents blindly trusted poisoned outputs, enabling cascading prompt injection . CVE-2025-49596 allowed remote code execution via crafted messages in MCP-Inspector
Recommendations . Use only actively maintained MCP server projects and apply rigorous code audits . Define clear trust boundaries between all MCP components . Align tools with data classification zones and prefer local MCP servers for sensitive data . Validate all parameters against defined schemas and block ambiguous parameter forwarding . Sandbox tool execution using OS-level security frameworks and apply least privilege principles . Add cryptographic signatures to MCP messages and include replay protection metadata . Treat all tool outputs as untrusted and filter before passing downstream . Integrate MCP telemetry into SIEM and threat detection systems . Maintain a formal inventory of deployed MCP agents with versioning and patch history . Regularly scan networks for unauthenticated, vulnerable, or unauthorized MCP servers
I have attached the full report as well.
