Other 2026-07-14
Industry Signal Impact: Important Conf: 85%

SANS Identifies Distributed Scanning of MCP Servers and AI Assistant Configs

Summary

SANS Internet Storm Center reports systematic scanning of MCP servers, AI assistant configs, and local LLM endpoints. 49 IPs targeted MCP handshakes, exploiting CVEs in MCP SDKs, signaling AI infrastructure as a new attack vector.

Key Takeaways

SANS Internet Storm Center, based on 14-day Apache+ModSecurity log analysis (low-traffic shared hosting), found systematic scanning of Model Context Protocol (MCP) servers, AI assistant configs, and local LLM endpoints. ~200 AI-related requests observed, 49 independent IPs initiated MCP handshakes. Attack methods: POST /mcp with legitimate JSON-RPC 2.0 initialize (protocolVersion=2025-03-26); GET /.claude/mcp.json, /.cursor/mcp.json, /.vscode/mcp.json, /.mcp/config.json; HEAD /.claude/.credentials.json, .config/claude/.credentials.json (bandwidth optimization); GET /v1/models (OpenAI compatible) and GET /api/tags (Ollama); GET /fetch?url=http://metadata.google.internal/...token (SSRF). Related CVEs: CVE-2026-25536 (CVSS 7.1) MCP TypeScript SDK cross-client data leak; CVE-2026-34742 (CVSS 8.1) MCP Go SDK. These vulnerabilities expose serious security flaws in MCP protocol implementations, allowing attackers to harvest AI credentials and cloud tokens, marking AI infrastructure security as a new battleground.

Why It Matters

This scanning attack exposes fundamental security gaps in MCP protocol design: no authentication in handshake, standardized config paths enabling low-cost bulk probing. CVE-2026-25536 (cross-client data leak in TypeScript SDK) and CVE-2026-34742 (Go SDK) reveal data isolation failures, allowing attackers to steal data between AI clients via the same MCP server. SSRF targeting cloud metadata endpoints (metadata.google.internal) shows transient token leakage risks in AI-cloud integration. Enterprises deeply integrating Claude, Cursor, etc., face supply chain attack vectors through plaintext credential files. Defense must shift to encrypted credential storage, network isolation of MCP endpoints, and protocol-layer authentication.

PRO Decision

[Vendors] Competitors (e.g., OpenAI, Google) should leverage this event to highlight the security advantages of their own AI APIs: OpenAI's function calling requires API key authentication with no standardized config paths; Google Vertex AI has built-in IAM and VPC-SC. They should publish technical comparisons exposing MCP's lack of authentication and encryption, and offer enhanced MCP-compatible alternatives or directly migrate customers. [Enterprises] CIOs must perform zero-trust audits: 1) enforce network isolation for all MCP servers; 2) encrypt config and credential files with access auditing; 3) patch CVE-2026-25536 and CVE-2026-34742; 4) block outbound requests to cloud metadata endpoints; 5) add API key or OAuth to MCP handshakes. [Investors] This validates the AI security market thesis. Focus on startups offering AI config encryption, MCP security gateways, and AI supply chain protection. Be cautious with platforms heavily relying on MCP (e.g., Anthropic) due to protocol security flaws hindering enterprise adoption. Long-term, AI infra providers with built-in security will command premium.

Source: 36氪
View Original →

Get 3-5 key AI infrastructure signals weekly →

💬 Comments (0)