Source: Cloud Security Alliance
Author: unknown
URL: https://cloudsecurityalliance.org/blog/2026/03/24/the-agentic-trust-deficit-why-mcp-s-authentication-vacuum-demands-a-new-security-paradigm
ONE SENTENCE SUMMARY:
MCP’s rapid enterprise adoption outpaced security, enabling unauthenticated exposure, agentic exploits, supply-chain compromise, and necessitating zero-trust cryptographic controls.
MAIN POINTS:
- MCP became a core connector between LLM agents and sensitive enterprise systems.
- Knostic found 1,862 internet-exposed MCP servers, many revealing tools without authentication.
- Manual checks showed 119/119 verified servers allowed unauthenticated internal tool listing access.
- Exposed MCP deployments included production write access to finance, CRM, and social media.
- EchoLeak (CVE-2025-32711) enabled zero-click data exfiltration via hidden document instructions.
- Attackers abused Copilot context to smuggle secrets through outbound URLs disguised as image requests.
- JFrog disclosed mcp-remote (CVE-2025-6514) command injection enabling client-side RCE.
- Tool poisoning hides malicious directives in tool metadata invisible to human reviewers.
- Rug pull attacks swap benign tool definitions later, bypassing point-in-time security vetting.
- CSA Agentic Trust Framework maps to defenses: attestation, monitoring, scanning, and per-invocation policy.
TAKEAWAYS:
- Eliminate “authentication optional” MCP usage; mandate OAuth2-equivalent identity for every agent/server.
- Require per-tool-call authorization decisions, not coarse session trust, to constrain agentic blast radius.
- Bind tool definitions cryptographically to server identity; force re-authorization on any definition change.
- Add MCP-specific supply-chain and semantic scanning to detect prompt patterns and obfuscation.
- Reduce exposure by discovering shadow MCP, segmenting networks, and monitoring anomalous tool invocations.