Adversa has released what it calls the most comprehensive analysis to date of security risks in the Model Context Protocol (MCP), unveiling a Top‑25 vulnerabilities list that blends risk scoring with a practical hardening guide. The report targets teams designing and deploying agentic AI systems and aims to offer immediate prioritization guidance while industry standards are still forming.
What is the Model Context Protocol and why it matters for AI agent security
Introduced by Anthropic in 2024 as an open standard, the Model Context Protocol (MCP) provides a unified, auditable way for AI agents to connect to tools, data sources, other agents, and contextual information. By standardizing how agents interact with their environment, MCP promises consistency and accountability—but it also concentrates an attack surface that, if left unmanaged, can enable data leakage, privilege escalation, or remote code execution (RCE).
While the community is preparing an OWASP MCP Top 10, Adversa’s list is positioned as an interim benchmark. The company notes its intent to align with OWASP, Cloud Security Alliance (CSA), and NIST taxonomies and to contribute to the forthcoming OWASP MCP framework.
How Adversa ranks MCP vulnerabilities
Scoring model and criteria
Each vulnerability entry includes an official and alternative name, impact and exploitability ratings, and links to primary sources. Impact ranges from critical (full compromise/RCE) to low (information disclosure), while exploitability spans trivial (browser‑only skills) to highly complex (theoretical attacks requiring nation‑state resources).
The composite score weights are: 40% consequence severity, 30% ease of exploitation, 20% prevalence, and 10% remediation complexity. This approach helps security teams prioritize patches and compensating controls relative to business risk.
Top risks: prompt injection leads the pack
Prompt injection ranks first due to its high potential impact and low barrier to exploitation, making it a primary threat across MCP implementations. At the opposite end, the MCP Preference Manipulation Attack (MPMA) appears near the bottom—ranked 24th—because of its narrower blast radius and higher practical complexity.
Adversa’s co‑founder and CTO Alex Polyakov says the list will be updated monthly or as new incidents and CVEs warrant immediate revision. Early references in the report are expected to be replaced with deeper, peer‑reviewed sources over time.
Actionable defenses for MCP environments
Immediate steps: validate and sanitize inputs
Adversa urges a hygiene‑first approach: enforce validation and sanitization for all inbound data. The firm estimates that 43% of MCP servers are susceptible to command injection, underscoring the need for strict input filtering, content normalization, and robust encoding/escaping in tool and function interfaces.
Defense‑in‑depth across protocol, application, AI, and infrastructure
Protocol layer: require TLS for all connections and reject downgrade attempts. Application layer: use parameterized database queries, safe file handling, and strict MIME/type checks. AI layer: implement prompt‑injection defenses (content allowlists, tool‑use guardrails, human‑in‑the‑loop for sensitive actions) and restrict cross‑context data flows. Infrastructure: apply least privilege, comprehensive logging, anomaly detection, and secrets isolation.
90‑day MCP security roadmap
Day 0–30: enable authentication on all exposed endpoints and close obvious injection vectors. Day 31–60: expand network segmentation, enforce least‑privilege access, and centralize audit trails. Day 61–90: re‑architect toward zero‑trust to contain the impact of compromised components or third‑party providers.
Mapping to OWASP, CSA, and NIST to accelerate GRC
Aligning MCP risks with OWASP guidance (including the OWASP Top 10 for LLM Applications), CSA cloud controls, and NIST risk and security control catalogs streamlines governance, risk, and compliance. Adversa plans to support the formalization of an OWASP MCP Top 10 to give developers, SecOps, and auditors a common language for risk management.
Why prompt injection dominates MCP threat models
Prompt injection exploits an agent’s tendency to trust untrusted text as instructions. For example, when an MCP agent retrieves data from the web, a hidden instruction in that content might direct the agent to exfiltrate secrets or misuse tools—potentially escalating to RCE if dangerous tools are available. Effective mitigations include content provenance checks, tool allowlists, sensitive‑action confirmations, output encoding, and adversarial testing of agent workflows before production.
Organizations building AI agents on MCP can reduce exposure today by inventorying MCP endpoints and tools, deploying layered controls, and training teams to recognize and mitigate prompt injection. Track Adversa’s monthly updates, map identified risks to OWASP/CSA/NIST frameworks, and move steadily toward a zero‑trust architecture. These steps will lower incident likelihood and limit business impact if compromises occur.
