Monday, July 13, 2026

News

Someone Is Mass-Scanning the Internet for Unsecured MCP Servers

CodingPatryk Raba
Fot. Tima Miroshnichenko, Pexels (Pexels License)

SANS Internet Storm Center analysts have identified a distributed campaign scanning the internet for open MCP servers, AI coding assistant credential files, and unsecured large language model endpoints.

Contents
  1. How the Scanning Works
  2. What's at Stake
  3. The Scale of the Problem
  4. Implications for Businesses

Analysts at the SANS Internet Storm Center described on Monday a distributed internet-scanning campaign targeting Model Context Protocol servers, AI coding assistant credential files, and unsecured large language model access points. The scanning is not random, it is precisely aimed at infrastructure that has proliferated across companies deploying AI agents in recent months.

Model Context Protocol is a standard that over the past year has become the default way to connect AI agents to external tools, databases, and corporate systems. MCP's popularity among developers of coding agents and office assistants has led servers supporting the protocol to appear on the open internet en masse, often without basic authentication.

How the Scanning Works

Santander Peláez analyzed traffic hitting a single small web server running WordPress and a few custom applications. Among hundreds of requests, he identified about 200 tied directly to AI infrastructure, spread across 14 days. The key signal was that some requests aimed at the /mcp path were not random network noise but properly formatted initialize calls in JSON-RPC 2.0 format, consistent with the MCP protocol.

POST attempts to /mcp stood out from the rest of the traffic, carrying a valid JSON-RPC 2.0 body - Manuel Humberto Santander Peláez, SANS Internet Storm Center

Requests of this type arrived from 49 different IP addresses, which according to the researcher rules out a single test script and points to a broad, distributed reconnaissance campaign. In parallel, scanners checked for the presence of configuration files typical of popular coding assistants, first sending HEAD requests to determine whether a file exists at all without downloading its full contents.

What's at Stake

An MCP server without authentication is, as the SANS researcher put it, a ready-made menu of everything a given AI agent can access, served to anyone who correctly completes the protocol handshake. In practice, this means an attacker can see and potentially exploit the same tools, databases, or file systems that an AI agent has legitimately connected to its work.

It's a machine-readable menu of everything the agent can touch, offered to anyone who completes the handshake - Manuel Humberto Santander Peláez, SANS Internet Storm Center

The scanners also tried other vectors, including SSRF attacks targeting cloud metadata services, rotating parameters such as url, uri, path, and dest in hopes of stealing access tokens from instances on Google Cloud. They also tested open LLM endpoints, including ones compatible with the OpenAI API and local Ollama installations, which, if left unsecured, give an attacker free computing power or a foothold for further action.

The Scale of the Problem

The scale of the phenomenon is also visible in broader research. Research firm TrendAI analyzed nearly 9,700 MCP servers indexed across four major directories, including GitHub, between November 2025 and March 2026. The result: 2,259 servers had confirmed security vulnerabilities, and the total number of detected flaws reached nearly 5,000. Most involved arbitrary file access, denial of service, and command injection, but among them were also 185 cases of prompt injection vulnerabilities, capable of directly altering an AI agent's behavior.

Particularly concerning is TrendAI's finding that verification badges, popularity, or commit activity in a repository provide no real protection. Verified servers recorded nearly the same number of issues as unverified ones, undermining the sense of security built around popular MCP tool directories.

Implications for Businesses

For companies deploying coding agents and office assistants built on MCP, the conclusions are concrete. Researchers recommend blocking POST requests to the /mcp and /sse paths if a given MCP service is not meant to be publicly exposed at all, removing AI assistant configuration files from externally accessible directories, testing from the outside whether LLM endpoints happen to be open, and blocking requests to cloud metadata services, along with enforcing newer, more secure versions of these mechanisms such as IMDSv2 on AWS.

The case fits into a broader trend of recent months, in which security researchers have regularly described new attack vectors targeting AI agents and development tools built on large language models. Unlike previously described, named attack techniques, this is not about a single vulnerability but an active, ongoing reconnaissance campaign that is systematically mapping how much of this infrastructure sits on the internet with no protection at all.

Sources: Someone Is Scanning for Your MCP Servers and AI Assistant Credentials (isc.sans.edu), 4,982 Security Issues Expose 2,259 Public MCP Servers to AI Agent Attacks (cyberpress.org)

Share: