MCP has become an integral part of the expansion of agentic AI but comes with its own vulnerabilities.
Model Context Protocol (MCP), developed by Anthropic and released as an open standard in 2024, is the de facto (not absolute) standard method of ensuring a consistent and safe interface between an AI agent (or agents) and the data source (or sources). It specifies how AI agents interact with tools, other agents, data, and context in a safe and auditable manner whenever required. It is consequently a fundamental requirement for effective Agentic AI.
But like all software, MCP has areas that can be abused by malicious actors. This month a potential attack on ChatGPT’s calendar integration was described, allowing an email calendar invite to deliver a jailbreak to ChatGPT, with no user interaction required.
AI-specialist firm Adversa has now published an analysis of the Top 25 MCP vulnerabilities, described as ‘the most comprehensive to date analysis of MCP vulnerabilities’.
OWASP is known to be planning its own Top Ten for MCP, but this is not yet available and will (probably) be limited to ten vulnerabilities. Adversa is not trying to compete with OWASP, but to provide immediate assistance for companies developing and implementing agentic AI solutions today. “We will map to OWASP/CSA/NIST where relevant, and plan to contribute this work to the OWASP MCP effort as it formalizes,” Alex Polyakov (co-founder and CTO of Adversa AI) told SecurityWeek.
The basic Adversa table of vulnerabilities includes a recommended ‘official’ name (plus common AKAs), an impact score, an exploitability rating, and a link to additional third party explanatory information. The impact classification score ranges from Critical (complete system compromise or RCE) to low (information disclosure only); while the exploitability level ranges from trivial (can be exploited with just basic knowledge – no special skills other than access to a browser), to very complex (theoretical only, or requires nation state resources).
The ranking figure is developed through a weighting algorithm: 40% impact + 30% exploitability + 20% prevalence + 10% remediation complexity. It will surprise no-one that prompt injection remains the perfect storm: combining critical impact with trivial exploitability and ranked as the #1 vulnerability. Less well-known is the MCP Preference Manipulation Attack (MPMA) with low impact and very complex exploitability ranked at #24 – but still a vulnerability.
“We plan to update the document monthly, or whenever new incidents or CVEs occur requiring an immediate update,” explained Polyakov. For the links to further reading, the document defaults to the first description of a vulnerability. But, he added, these links are not permanent. “We’ll update and expand ‘further reading’ when a clearer or more rigorous source emerges, and record it in the changelog.”
But the document isn’t just a catalog of threats – it also provides a practical security and mitigation checklist including ‘immediate’; a ‘defense in-depth strategy’, and a ‘mitigation timeline’.
Immediate steps include: “Input Validation is Mandatory – 43% of MCP servers vulnerable to command injection is inexcusable. Validate and sanitize ALL inputs.”
The defense strategy includes four layers: protocol level, application level, AI-specific defenses, and infrastructure. Examples include ‘enforce TLS for all communications’ (protocol level), and ‘use parameterized queries for database operations’ (application level).
The mitigation timeline spreads over a three-month period, starting with ‘implement authentication on all exposed endpoints’ (immediate) and including ‘redesign architecture for zero-trust model’ (in month three).
Adversa has produced the first complete guide to MCP vulnerabilities affecting possibly the hottest area of IT today – the switch from manual human intelligence to automated artificial intelligence. This guide is designed to help IT and security departments understand the full complexity involved.
Related: Scalekit Raises $5.5 Million to Secure AI Agent Authentication
Related: The Wild West of Agentic AI – An Attack Surface CISOs Can’t Afford to Ignore
Related: Beyond GenAI: Why Agentic AI Was the Real Conversation at RSA 2025
Related: How Hackers Manipulate Agentic AI With Prompt Engineering
