Uncovering the Command Execution Flaw: Anthropic’s ‘Feature’ Exposed on 200,000 MCP Servers

Anthropic, the creators of the Model Context Protocol (MCP), established this open standard as a means for AI agents to communicate with tools. The industry giants OpenAI and Google DeepMind embraced MCP, with OpenAI officially adopting it in March 2025. Subsequently, Anthropic generously donated MCP to the Linux Foundation in December 2025, resulting in over 150 million downloads. However, a critical vulnerability was discovered by four researchers at OX Security, highlighting a fundamental flaw that impacts the entire ecosystem.

The issue revolves around MCP’s STDIO transport, the default method for connecting an AI agent to a local tool. This transport mechanism lacks proper sanitization, allowing the execution of any operating system command it receives without setting boundaries between configuration and command execution. Consequently, a malicious command can run undetected, posing a severe security risk. Despite the alarming findings, Anthropic defended the design, stating that STDIO’s execution model is a secure default and placing the responsibility for input sanitization on developers.

The researchers at OX Security conducted a thorough scan of the ecosystem and identified approximately 7,000 servers with active STDIO transport on public IPs, estimating a total of 200,000 vulnerable instances. They successfully demonstrated arbitrary command execution on multiple live production platforms, uncovering over 10 critical vulnerabilities across various AI frameworks and tools.

Industry experts, such as Kevin Curran, a cybersecurity professor at Ulster University, emphasized the significance of addressing this security gap in foundational AI infrastructure. Despite the widespread coverage of the disclosure by major media outlets, a comprehensive product-by-product audit is necessary to assess the security posture of individual MCP deployments.

To determine the exposure of MCP deployments, organizations must consider several critical questions. Firstly, if AI agents connected via MCP’s default STDIO transport are deployed, they are vulnerable to exploitation. The vulnerability is not isolated to a specific product but stems from a design flaw in the MCP specification inherited by all official language SDKs.

Vendor patching efforts vary, with some products partially addressing the issue, while others remain unpatched. It is essential to verify the patch status of each affected product and monitor vendor advisories for updates. However, it is crucial to note that product-level patches do not fundamentally alter the underlying vulnerability within the MCP protocol’s STDIO behavior.

Moving forward, organizations should treat every MCP STDIO configuration as an untrusted input surface, implementing stringent security measures such as isolation from the host operating system and thorough audits of MCP registries. By adopting a proactive approach to securing MCP deployments and prioritizing remediation actions, organizations can mitigate the inherent risks associated with the protocol’s design flaw.

In conclusion, while the debate between Anthropic and OX Security regarding the responsibility for securing MCP’s STDIO transport continues, organizations must take immediate steps to protect their MCP deployments. By acknowledging the inherent vulnerabilities, implementing necessary security measures, and staying informed about patch updates, organizations can safeguard their AI infrastructure from potential threats and ensure the integrity of their operations.