MDPI — attack surfaces of malicious remote MCP servers across LLM platforms
AI relevance: The Model Context Protocol (MCP) is the de facto standard for connecting AI agents to external tools; this paper maps the full attack surface when remote MCP servers are malicious, providing a taxonomy that platform teams can use to audit their tool integrations.
- LLM-passive / LLM-active framework: The paper organizes the threat space by the role the host LLM plays. LLM-passive attacks complete entirely inside the malicious server (no model participation needed). LLM-active attacks require the LLM to process and deliver malicious content.
- LLM-passive attacks: The server itself executes the harmful outcome — credential theft, data exfiltration, or unauthorized actions — without the model's awareness. The model is just a conduit.
- LLM-active attacks: Further decomposed into description-based attacks (malicious tool descriptions trick the model into invoking dangerous tools) and output-based attacks (poisoned tool outputs manipulate subsequent agent decisions).
- Cross-platform scope: The research covers attack surfaces across multiple LLM platforms, demonstrating that MCP's trust model is consistent — and consistently vulnerable — regardless of which agent framework is hosting the connection.
- Parasitic tool chaining: A poisoned output from one MCP server can influence which tool from a second server the agent invokes next — a cascading attack that doesn't require the attacker to compromise both servers.
- Published in Electronics (MDPI): Peer-reviewed publication in volume 15, issue 10, article 2214 — lending academic weight to a threat model that practitioners have been raising informally.
Why it matters
Teams adding MCP servers to their agents often treat them as "just another API endpoint." This paper demonstrates that a malicious MCP server is fundamentally different — it can either act directly (passive) or manipulate the agent's own reasoning (active). The LLM-passive/active taxonomy gives defenders a structured way to reason about MCP trust boundaries.
What to do
- Inventory all remote MCP servers connected to your agents — treat each one as a potential trust boundary.
- Apply the LLM-passive vs LLM-active framework: can each server act without model approval? If so, sandbox it.
- Consider the paper: MDPI Electronics 15(10), 2214.