Entry 925362

The backbone of modern AI systems is the Large Language Models (LLM). In isolation, however, LLMs have no utility beyond conversation. This changed with the introduction of the Model Context Protocol (MCP): MCP establishes the standard communication protocol for AI systems to connect with external systems. This has dramatically increased the capabilities of LLMs by allowing them to interface with virtually any software. With MCP servers, LLMs are no longer conversational chatbots confined to their training data, but full-fledged agents capable of acting autonomously on behalf of users. MCP has enabled AI agents, which now dominate the AI and software landscape.

Figure 1 - Diagram showing a typical architecture of a system using an MCP server.

MCP servers function as a bridge between LLMs and external systems. At a high level, an AI application is first pre-configured with the ability to use trusted MCP servers. Upon connecting, the MCP Server provides the application the list of Tools available for use, descriptions of the Tools, and instructions for how and when to use them. The application’s underlying LLM serves as the decision maker, deciding when it will benefit from an MCP tool call. When the LLM decides to use an MCP Tool, it outputs a Tool request for the MCP Client to send to the MCP Server. The MCP Server authenticates and authorizes the request, executes the Tool, interacting with external services as needed, and returns the final response to the MCP Client. Lastly, the LLM uses the Tool response to continue completing its task.

For the finer details, the MCP specification can be found here: https://modelcontextprotocol.io/specification

Threats and Mitigations

The end-to-end MCP client-server dataflow presents a unique threat model. When threat modeling an AI system using an MCP Server, it is crucial to consider the non-deterministic nature of AI. Below we consider the threats and mitigations of a basic system with two components: an AI Application communicating with an MCP Server.

*AI Application*
Threat	Mitigations
Indirect Prompt Injection AI model inadvertently treats data returned by the MCP server as instructions which an attacker exploits to hijack the AI model	Prompt engineering: Ensure the system prompt instructs to model to not treat data as instructions AI guardrails: Architect the system with safety layers that continuously monitor and verify the AI model’s inputs and outputs
Direct Prompt Injection MCP server is compromised and an attacker causes it to respond with malicious instructions, hijacking the AI model
Unintended Tool Execution AI model calls an MCP tool without the user’s intent or knowledge (e.g. a dangerous mutating tool)	Human-in-the-loop: Require human approval for dangerous tool calls Tool allowlisting: Restrict the MCP tools that the LLM is allowed to call
Insecure MCP Response Handling Malicious MCP response flows into unsafe sinks (e.g. command executions, filesystem writes, network calls, etc.)	Input validation: Restrict allowed inputs to only what is expected Input sanitization: Escape and encode dangerous control characters like “&”
Context Window Poisoning An MCP response poisons the AI agent’s memory or its other sources	HMAC signing: Sign each entry and verify the signature before use Distrust MCP responses: Avoid storing data from MCP responses
MCP Server Spoofing The application unknowingly communicates with an attacker-controlled MCP server	mTLS: Require Mutual TLS with short-lived certificates to authenticate the server Network segmentation: Restrict allowed network communications to only trusted destinations

```html

MCP Server
Threat	Mitigations
Confused Deputy An attacker manipulates the MCP Server to perform actions using the server’s elevated privileges rather than their own limited privileges	Client authorization: Authorize each client individually and separate from the server’s identity Continuous verification: Re-verify the client’s authorization for every request and at each step of the delegation chain
Excessive Capabilities An MCP Tool accesses resources or performs operations on behalf of the user that the user by themself lacks the permissions to do	Strict authorization: Execute code only within the user’s own authorization context Tool authorization: Restrict the advertised tools list based on the user’s permission level
Improper Access Controls An attacker gains access to sensitive data or operations due to insufficient access controls	Authenticate users: Verify user identity with access tokens like API keys Authorize access: Verify all resource access through an ACL
Insecure Input Handling Untrusted user input may flow into unsafe sinks and result in a variety of injection attacks (e.g. SQLi, IDOR, RCE, etc.)	Input validation: Restrict allowed inputs to only what is expected Input sanitization: Escape and encode dangerous control characters like “&”
Insecure Configuration A misconfigured server introduces a variety of vulnerabilities	Continuous scanning: Configure periodic scans on the code and server to identify known vulnerabilities Principle of least privilege: Limit the service user’s OS privileges to the minimum needed to function

More Information

Discover how cyber experts like Philip Salire Security Engineer and author of this article, can help secure your organization with AI Security Services. Fill out the form, and we’ll contact you within one business day.

Nombre

Apellido

Empresa / Organización

Correo electrónico

Número de teléfono

¿En qué podemos ayudarle?

Doy mi consentimiento para que se procesen mis datos tal y como se describe en la Política de privacidad y acepto los Términos y condiciones.

Acepto que Bureau Veritas Cybersecurity utilice estos datos para proporcionarme información adicional sobre sus servicios, eventos o temas que puedan ser de mi interés.

¿Por qué elegir la ciberseguridad de Bureau Veritas?

Bureau Veritas Cybersecurity es su socio experto en ciberseguridad. Ayudamos a las organizaciones a identificar riesgos, reforzar sus defensas y cumplir con las normas y regulaciones de ciberseguridad. Nuestros servicios abarcan personas, procesos y tecnología, desde la formación en materia de concienciación y la ingeniería social hasta el asesoramiento en seguridad, el cumplimiento normativo y las pruebas de penetración.

Operamos en entornos de TI, TO e IoT, y damos soporte tanto a sistemas digitales como a productos conectados. Con más de 300 profesionales de la ciberseguridad en todo el mundo, combinamos una profunda experiencia técnica con una presencia global. Bureau Veritas Cybersecurity forma parte del Bureau Veritas Group, líder mundial en pruebas, inspección y certificación.

The Security Risks of MCP Servers

¿Por qué elegir la ciberseguridad de Bureau Veritas?