MCP Hit 97 Million Downloads in One Year. Security Researchers Say It Wasn't Ready.
Source: Dev.to
The Numbers Look Incredible on Paper
OpenAI, Google, Microsoft, AWS—all adopted MCP within months of its launch. The ecosystem now includes over 10 000 published servers covering everything from developer tools to Fortune 500 deployments. Boston Consulting Group called it “a deceptively simple idea with outsized implications.”
Analysts estimate the MCP ecosystem will grow from $1.2 billion to $4.5 billion by the end of 2025, with some predicting 90 % of organizations will be running MCP integrations. Block, Bloomberg, Amazon, and hundreds of enterprise customers have already deployed it in production.
Security Came Second
In April 2025, security researchers at Palo Alto Networks identified five critical attack vectors:
- Prompt injection
- Tool shadowing
- Privilege escalation
- Data exfiltration
- “Rug pull” attacks – MCP tools can silently change their definitions after installation, turning a benign‑looking tool on Monday into a conduit for stolen API keys by Friday.
The official MCP specification says there “SHOULD always be a human in the loop.” Security experts at Strobes responded bluntly: treat that SHOULD as a MUST.
June 2025 brought CVE‑2025‑6514, a critical vulnerability (CVSS 9.6) in mcp-remote—a popular OAuth proxy with over 437 000 downloads. The flaw turned every unpatched installation into a supply‑chain backdoor, allowing attackers to execute arbitrary commands, steal cloud credentials, and grab SSH keys simply by pointing an LLM host at a malicious endpoint.
Red Hat’s analysis noted that MCP servers store OAuth tokens for services like Gmail, Google Drive, and corporate resources. Compromise one server, and you gain keys to everything. Traditional account breaches trigger notifications; token theft through MCP often looks like legitimate API access.
The December Pivot Changes the Game
On December 9 2025, Anthropic donated MCP to the newly formed Agentic AI Foundation (AAIF) under the Linux Foundation. OpenAI, Google, Microsoft, AWS, Block, Bloomberg, and Cloudflare signed on as founding members.
Enterprises prefer open standards with transparent governance over protocols controlled by a single vendor. Jim Zemlin, Linux Foundation Executive Director, summed it up:
“Bringing these projects together under the AAIF ensures they can grow with the transparency and stability that only open governance provides.”
The specification is maturing—the June 2025 update adopted OAuth 2.1 principles, and the November release added new primitives for long‑running tasks. Still, as one researcher warned, “hundreds of MCP servers on the web today are misconfigured, unnecessarily exposing users of AI apps to cyberattacks.”
What This Means for Your AI Strategy
MCP adoption is no longer optional. BCG found that without MCP, integration complexity rises quadratically as AI agents spread through an organization; with MCP, it increases linearly—a significant operational advantage.
The question isn’t whether to adopt, but how to do it without creating new attack surfaces.
Three Things Worth Considering
- Audit every MCP server before deployment and implement allow‑listing. Community‑built servers vary wildly in quality and security posture.
- Don’t trust tool definitions that change silently. Any MCP client should alert users when server definitions evolve; if yours doesn’t, that’s a red flag.
- Treat the human‑in‑the‑loop guidance as mandatory, not optional. The protocol’s flexibility is exactly what makes autonomous agent actions dangerous without explicit consent mechanisms.
MCP represents a fundamental shift in how AI systems connect to enterprise tools. The growth trajectory is undeniable, but the gap between adoption velocity and security maturity should make every technical leader pause.
What’s your organization’s approach to MCP security—building safeguards into your adoption strategy, or racing to catch up?
Sources
- Linux Foundation AAIF Announcement:
- MCP Official Blog – One Year Anniversary:
- Palo Alto Networks MCP Security Research:
- Red Hat Security Analysis:
- eSentire CISO Security Guide: