Why Your MCP Servers Are Your Biggest Security Blind Spot
This week, Microsoft disclosed a critical server-side request forgery (SSRF) vulnerability in their own Azure MCP server. Let that sink in. The company that runs one of the world's three largest cloud platforms shipped an MCP implementation with a flaw that could let attackers pivot into internal Azure services.
If Microsoft can't secure their MCP servers, what makes you think yours are safe?
The Model Context Protocol has gone from an interesting experiment to critical infrastructure in barely a year. Thousands of organisations are deploying MCP servers to give AI agents access to their tools, databases, and APIs. And almost nobody is scanning them for vulnerabilities.
That needs to change. Today.
What Is MCP, and Why Should You Care?
The Model Context Protocol — originally developed by Anthropic and now adopted across the industry — is the standard way AI agents interact with external tools. Think of it as a universal adapter: instead of building custom integrations for every AI model, you build one MCP server and any compatible agent can use your tools.
An MCP server might expose tools that:
- •Query your production database
- •Read and write files on your servers
- •Send emails on behalf of users
- •Access your cloud infrastructure APIs
- •Execute code in sandboxed environments
- •Interact with third-party SaaS platforms
This is incredibly powerful. It's also incredibly dangerous.
MCP servers are, by design, bridges between AI agents and your most sensitive systems. They sit in a trust-critical position: the agent trusts the MCP server to provide legitimate tool results, and your backend systems trust the MCP server to send legitimate requests.
When an MCP server is compromised or misconfigured, that trust relationship becomes the attack vector.
The Attack Surface Nobody's Watching
Traditional security tooling doesn't understand MCP. Your vulnerability scanners, your SIEM, your WAF — none of them are designed to detect MCP-specific attacks. Here's what's hiding in your blind spot:
SSRF: The Azure Wake-Up Call
Server-side request forgery through MCP servers is the most immediately dangerous attack vector. Here's how it works:
- •An AI agent calls an MCP tool — say, a web scraping tool or an API integration
- •The attacker crafts input that manipulates the URL or request target
- •The MCP server, running inside your network, makes a request to an internal resource
- •Suddenly, the attacker has access to your cloud metadata endpoint (169.254.169.254), internal APIs, or admin panels
The Azure CVE proved this isn't theoretical. Microsoft's MCP server could be exploited to make requests to internal Azure services. This is the same class of vulnerability that led to the Capital One breach in 2019 — but now it's embedded in your AI agent infrastructure.
Prompt Injection via Tool Results
This is the attack that keeps AI security researchers up at night:
- •An MCP tool fetches data from an external source (a website, an email, a document)
- •That data contains hidden instructions — invisible to humans but parsed by the AI agent
- •The agent follows the injected instructions, potentially exfiltrating data or executing unintended actions
- •All of this happens within the agent's normal operation — no alarms, no logs, no alerts
Because MCP tools return data that the AI agent processes as context, every tool response is a potential injection point.
Excessive Permissions and Missing Authentication
Survey the MCP servers in your organisation right now. How many of them:
- •Run with admin-level permissions?
- •Lack any form of authentication?
- •Expose tools that aren't needed by the agents using them?
- •Have no rate limiting or abuse prevention?
- •Log nothing about tool invocations?
If your experience is anything like what we see in security assessments, the answer is "most of them."
Supply Chain Poisoning
There are over 8,500 MCP servers available for installation from community registries. Installing one is as easy as adding a few lines to your configuration file. But each one is executable code running with access to your AI agent's context — and potentially your network.
This is npm supply chain attacks all over again — but worse, because MCP servers by design have access to sensitive tools and data.
What You Should Check Right Now
If your organisation uses MCP servers, here's your immediate action checklist:
1. Inventory Your MCP Servers — You can't secure what you don't know about. Map every MCP server in your environment.
2. Review Permissions — Apply the principle of least privilege ruthlessly. Does the database tool need write access, or just read?
3. Add Authentication — If your MCP servers accept unauthenticated connections, fix that immediately.
4. Test for SSRF — For every MCP tool that makes network requests, check whether the request target can be manipulated.
5. Assess Prompt Injection Resilience — What happens when tool results contain instructions? Does the agent follow them?
6. Audit Community Servers — Before deploying any community MCP server, review the source code. Actually read it.
The Bigger Picture
MCP servers represent a fundamental shift in how software systems interact. They're the connective tissue of the agentic AI ecosystem — and like any connective tissue, when they're compromised, everything they connect is at risk.
The security industry is behind. Way behind. We're deploying MCP servers at an exponential rate, but the security tooling, best practices, and even the threat models are still catching up.
We built MCPScan because we got tired of seeing MCP servers deployed without any security assessment. It's the first dedicated security scanner for MCP servers — covering SSRF, prompt injection resilience, permission analysis, and supply chain risks.
Because the question isn't whether your MCP servers have vulnerabilities. It's whether you find them before someone else does.
Next steps
Concerned about your AI agent security?
We help organisations assess and secure their AI agent deployments. Get in touch for a free initial consultation.
Get in touch