CloudSEK AIVigil — Unauthenticated MCP Server Led to SSRF and AWS Credential Theft
AI relevance: CloudSEK's AIVigil monitoring platform discovered a real-world instance where an unauthenticated Model Context Protocol (MCP) server — deployed as part of a Spring Boot AI-augmented communications platform — chained into SSRF, local file inclusion, and exfiltration of live AWS IAM credentials and database secrets, demonstrating how rapid MCP adoption has outpaced security maturity in production AI stacks.
What was found
- No authentication at the protocol layer. The MCP server registered tools for voice call management, SMS dispatch, audio content processing, and call callback handling — but lacked any authentication middleware, OAuth scoping, or rate limiting. Anyone who discovered the endpoint could enumerate and invoke all registered tools.
- SSRF via unrestricted proxy tool. An audio download utility designed for AI-driven media processing pipelines accepted arbitrary URLs, enabling server-side request forgery against internal infrastructure including the EC2 instance metadata service.
- Local file inclusion to credential exfiltration. The same tool could be coerced into reading arbitrary local files, allowing an attacker to pull database credentials, environment variables, and other secrets from the host filesystem.
- Live AWS IAM credential theft. By chaining the SSRF to IMDS with the LFI capability, an attacker could retrieve live AWS IAM credentials, enabling cloud-pivot attacks across messaging, storage, and compute services.
- Broad MCP exposure context. CloudSEK's findings arrive alongside independent measurements showing 8,000+ MCP servers exposed to the public internet, with an analysis of 2,614 implementations finding 82% prone to path traversal (CWE-22), 67% related to code injection (CWE-94), and 34% susceptible to command injection (CWE-78). Over 30 CVEs targeting MCP servers were filed in January–February 2026 alone.
- Nation-state operationalization. Google Threat Intelligence Group confirmed that adversaries from China, Iran, and North Korea have already operationalized LLMs and MCP infrastructure for reconnaissance, initial access, and credential theft.
Why it matters
MCP is no longer experimental — it is the connective tissue of enterprise AI, integrating LLM agents with databases, version control, cloud infrastructure, and business-logic tools. Yet the same authentication discipline applied to traditional API endpoints is routinely missing from MCP deployments. Developer teams integrate MCP tooling to accelerate AI capabilities, often without applying the security middleware that protects their existing APIs. The vulnerability chain here (unauthenticated MCP → unrestricted proxy → SSRF to IMDS → LFI → credential exfiltration) is not a sophisticated zero-day; it is a straightforward exploitation of basic misconfiguration in infrastructure that most security programs have not yet caught up with.
What to do
- Enforce authentication on all MCP endpoints at the protocol layer — no exceptions for internal or staging deployments.
- Restrict proxy tool inputs to an explicit allowlist of permitted domains and block all internal IP ranges.
- Require IMDSv2 on all EC2 instances to block SSRF-to-IMDS attacks.
- Rotate any IAM credentials and environment-variable secrets that may have been accessible during the exposure window.
- Implement continuous AI attack surface monitoring to detect new MCP exposures as your environment changes.