Cato CTRL™ Threat Research: Exploiting Model Context Protocol (MCP) – Demonstrating Risks and Mitigating GenAI Threats 

Executive Summary 

Generative AI (GenAI) is advancing rapidly, offering significant potential for business transformation. However, it also introduces new security risks.  

The Model Context Protocol (MCP), an open standard introduced by Anthropic in November 2024, enables seamless integration between GenAI applications and external data sources and tools. MCP is commonly referred to as a USB-C port for GenAI applications.  

As MCP-enabled tools interact with sensitive data, they increase the risk of unauthorized access. The integration of these tools requires careful attention to security and a proactive approach to managing emerging threats. We have demonstrated these risks through two proof of concepts (PoCs), revealing an expanded attack surface that could impact organizations globally. 

• Attack scenario #1: We simulate an MCP attack where a malicious MCP package is downloaded by a victim and used to read a file with Cursor AI. The package unexpectedly triggers the opening of a calculator, which mimics an attack. 

• Attack scenario #2: We simulate an MCP attack where an attacker crafts a document with malicious prompts and tricks the victim into uploading it to Claude 3.7 Sonnet with an MCP server installed. When the file is triggered, the attacker manipulates the MCP server to encrypt the victim’s files. 

Below is a summary of the two attack scenarios with a video demonstration for each, plus security best practices for organizations using MCP.  

Technical Overview 

What is MCP and How it Works 

MCP is an open standard designed to integrate GenAI applications with external data sources and tools. Imagine a GenAI application that not only generates text or responds to queries but can also interact with live data, manage cloud applications, and control local systems—acting as a bridge between the GenAI application (the “host”) and external services. This setup enables the GenAI application to query APIs, access databases, and automate tasks across technology platforms, all within a single conversation interface. Users can integrate GenAI applications with various systems using API keys and permissions, while developers can create custom servers using SDKs.  

For more details on MCP and its capabilities, you can refer to the official documentation by Anthropic. 

The Current Use and Future Vision of MCP 

Currently, MCP is most useful for developers and businesses integrating GenAI applications into their systems. In the future, it could enable even non-technical users to manage tasks or control devices simply by prompting a GenAI tool, without needing technical expertise. 

Attack Scenarios and PoC Demonstrations  

Integrating MCP into corporate environments introduces significant risks that organizations must be aware of. These risks can result in serious consequences, including data breaches, system compromises, and compliance violations. To illustrate these risks, we present two PoCs that demonstrate how these challenges can be exploited in real-world settings. 

Attack Scenario #1: Malicious MCP Package 

In this scenario, an attacker creates a malicious MCP package that appears legitimate and publishes it on developer platforms. A user then downloads the MCP, unaware that it’s malicious.  

In the demo, we show a user thinking they are using MCP to read a file with Cursor AI. Instead, FastMCP is simulating a malicious MCP package, which unexpectedly triggers the opening of a calculator instead. The calculator is simulating an attack.  

In a real-world scenario, the attacker could download and run a malicious executable, gaining control of the network and maintaining persistence on the device, rather than just running a calculator. 

Attack Scenario #2: Abuse of Legitimate MCP Server 

In this scenario, a user installs a legitimate MCP server, which acts as a bridge between Claude and a user’s files. It provides Claude with access to local files, which allows file read/write.  

In the demo, we show an attacker crafting a document with malicious prompts and tricking the victim into uploading it to Claude 3.7 Sonnet where the MCP server is installed. The hidden prompt is triggered, manipulating the MCP server on the victim’s device and encrypting their files. This demonstrates how even a legitimate MCP installation can be exploited.  

In a real-world scenario, imagine an attacker sending a fake audit document to a financial analyst. It’s assumed that the MCP server allows access to sensitive files and can send data over HTTP. The analyst uploads the document to Claude, triggering a malicious prompt that grants the attacker unauthorized access to financial records, leading to data exfiltration, report manipulation, or ransomware deployment. 

Root Cause Analysis (RCA) of MCP Security Risks 

The RCA in both attack scenarios is the lack of clear communication and awareness regarding the permissions granted by MCP packages, combined with insufficient monitoring and policy enforcement on the downloading and use of unvetted applications. This allows attackers to take advantage of weak authorization mechanisms that MCP requires to run code on a local device, embedding malicious code or prompts within seemingly legitimate files or packages, leading to unauthorized actions without user knowledge or consent. The absence of transparent permission requirements and proper security controls may make it easier for malicious actors to manipulate and compromise systems through MCP. 

Broader Risks: Supply Chain Attacks and Compliance Violations 

Integrating MCP into corporate environments introduces significant security risks, particularly in the context of supply chain attacks. Attackers can abuse MCP servers to deliver malicious payloads targeting enterprise systems, potentially leading to the exfiltration of sensitive data or the corruption of internal systems. Such incidents can compromise security and result in violations of compliance regulations like GDPR or HIPAA.  

The ability of MCP-enabled tools to connect with critical corporate systems increases the exposure to security risks. Attackers could exploit these integrations to access financial records, employee data, intellectual property, and more. If compromised, attackers may deploy ransomware or malware, causing data loss, system outages, and reputational damage.  

The security risks underscore the need for stringent security measures to secure MCP interactions. These issues align with MITRE ATT&CK tactics, highlighting the need for comprehensive risk management in corporate environments. 

Data Insights from the Cato SASE Cloud Platform 

We have been monitoring the use and trends of MCP on the Cato SASE Cloud Platform and have found that, at the moment, MCPs have not been widely adopted by organizations. However, we expect adoption to increase, especially with the vast business processes, workflows, and implementations that can be achieved, leading to more efficient operations. With this increased adoption, the risk also rises, and the attack surface expands accordingly. We will continue monitoring trends around MCP to share with our customers and the broader threat intelligence community. 

Security Best Practices 

As MCP continues to evolve, the attack surface it creates will expand. Both developers and users must remain vigilant about the security risks associated with this technology. To reduce these risks, we recommend the following security best practices: 

• Verify the source of MCP packages to ensure they come from trusted sources. 

• Review permissions before installation or running any MCP. 

• Use official repositories or well-known sources for MCP servers. 

• Ensure code verification before MCP functions are executed on servers. 

• Limit API permissions, ensuring only necessary actions can be performed. 

• Implement trusted code signing to establish reliability and transparency. 

Conclusion 

We successfully demonstrated two PoCs related to MCP, highlighting the risks of malicious downloads and exploitation of legitimate integrations. These attacks showcase the potential vulnerabilities that can compromise corporate data, systems, and compliance. We also discussed various mitigation options, including strong security measures, monitoring, and vetting third-party MCP tools. Organizations must be proactive in securing their MCP integrations to protect against these growing risks and safeguard sensitive data.