News

MCP Servers Hit by 'NeighborJack' Vulnerability and More

Model Context Protocol (MCP) servers, a relatively new idea from Anthropic to connect advanced AI systems with tools, data sources and other resources so they can act as autonomous agents, is now being subject to cybersecurity attacks like every other piece of software.

MCP servers were introduced last November as an open protocol designed to facilitate inter-agent communication and enable advanced AI systems to connect with a variety of tools. The concept has gained industry traction as a way to standardize how AI agents interact and share context, which is crucial for building more sophisticated and collaborative AI systems within enterprises.

With that traction, however, has come attention from threat actors, who were quick to seize on the hacking opportunity and are hitting MCP servers with a variety of attacks.

The situation is described in a new report from Backslash Security, which exposed critical flaws in hundreds of public MCP servers. In an ongoing effort, the company analyzed thousands of publicly available MCP servers, scanning them for code vulnerabilities and other weaknesses, and also checked them for malicious patterns, including:

  • Tool Poisoning: Hidden instructions in tool descriptions aiming to subvert LLM/tool behavior.
  • Rug Pull Attack: The registered tool logic is changed/replaced at runtime by attacker-controlled code.
  • Tool Shadowing: Legitimate tool replaced/overridden by a malicious one.
  • Data Exfiltration: Code deliberately leaks sensitive data externally, such as secrets or token theft.
  • Malicious Backdoor Entrance:Code deliberately enables unauthorized or persistent access.
Specifically, the company found two pervasive categories of weaknesses, which when combined can cause very high risk to the user's environment and applications. These are network exposures via the MCP "NeighborJack" vulnerability and excessive permissions and OS injections.

MCP 'NeighborJack' Vulnerability
Backslash Security's analysis revealed a significant vulnerability they termed "MCP NeighborJack." This issue was the most common weakness discovered, with hundreds of cases found among the more than 7,000 MCP servers investigated. The core problem is that these vulnerable MCP servers were explicitly bound to all network interfaces (0.0.0.0), making them "accessible to anyone on the same local network." This misconfiguration essentially exposes the MCP server to potential attackers within the local network, creating a significant point of entry for exploitation.

Excessive Permissions & OS Injection
The second major category of vulnerability identified was "Excessive Permissions & OS Injection." Dozens of MCP servers were found to permit "arbitrary command execution on the host machine." This critical flaw can arise from various coding practices, such as "careless use of a subprocess, a lack of input sanitization, or security bugs like path traversal."

The real-world risk is severe. "The MCP server can access the host that runs the MCP and potentially allow a remote user to control your operating system," the company said in a June 25 blog post. This means an attacker could gain full control of the underlying machine hosting the MCP server. Backslash's research observed several MCP servers that tragically contained both the "NeighborJack" vulnerability and excessive permissions, creating "a critical toxic combination."

A Toxic Combination
[Click on image for larger view.] A Toxic Combination (source: Backslash Security).

In such cases, "anyone on the same network can take full control of the host machine running the server," enabling malicious actors to "run any command, scrape memory, or impersonate tools used by AI agents."

MCP Server Security Hub
To directly address the identified vulnerabilities and the new attack surface presented by MCP servers, Backslash Security has established the MCP Server Security Hub, which among other things lists the hight-risk MCPs.

MCP Server Security Hub
[Click on image for larger view.] MCP Server Security Hub (source: Backslash Security).

This platform is the first publicly searchable security database dedicated to MCP servers, the company said It provides a live, dynamically maintained, and searchable central database containing over 7,000 MCP server entries, with new entries added daily. The Hub's primary function is to score publicly available MCP servers based on their risk posture. Each entry offers detailed information on the security risks associated with a given MCP server, including malicious patterns, code weaknesses, detectable attack vectors, and information about the MCP server's origin. Backslash Security encourages anyone considering using an MCP server to first check it on the Hub to ensure its safety.

Recommendations
Unsurprisingly, Backslash Security's list of recommendations regarding the threat to MCP servers starts with utilizing the MCP Server Security Hub. Other advice includes

  • Use the Vibe Coding Environment Self-Assessment Tool: To gain visibility into the vibe coding tools used by developers and continuously assess the risk posed by LLM models, MCP servers, and IDE AI rules, Backslash has launched a free self-assessment tool for vibe coding environments.

  • Validate Data Source for LLM Agents: It is recommended to validate the source of the data that your LLM agent is receiving to prevent potential data source poisoning.

About the Author

David Ramel is an editor and writer at Converge 360.

Featured

Subscribe on YouTube