MCP servers facilitate communication between AI agents and external tools via JSON-RPC messages. The 'mcpwn' toolkit provides an interactive proxy to intercept and manipulate these messages, exposing vulnerabilities like indirect prompt injection (injecting malicious instructions into tool call results), tool poisoning (altering tool descriptions), and confused deputy attacks (coercing privileged tools to perform unintended actions). The tool is intended for authorized security testing only and demonstrates how lack of cryptographic authentication and authorization controls in MCP can be exploited. There is no indication of known exploits in the wild or vendor patches. The project is in early release stages and aims to improve MCP security by enabling live testing and vulnerability discovery.

If exploited, attackers could manipulate the responses MCP servers send to AI agents, potentially causing agents to execute unauthorized commands or exfiltrate sensitive data. The vulnerabilities demonstrated include indirect prompt injection, tool poisoning, and confused deputy attacks, which could lead to unauthorized actions by AI agents. However, these risks currently require a man-in-the-middle position or authorized access to the MCP communication channel. No known active exploits have been reported.

No official vendor patches or advisories are available for MCP servers at this time. The 'mcpwn' tool is intended for authorized security testing only and should be used to identify and remediate vulnerabilities in MCP deployments before attackers can exploit them. Organizations using MCP servers should consider implementing strong authentication and authorization controls, monitor for unusual agent behavior, and apply security best practices for AI agent integrations. Patch status is not yet confirmed — check vendor advisories for updates.