Exposed MCP Servers Triple to 1,467; Trend Micro Finds Cloud Command-Injection Flaws

AI relevance: every exposed MCP server gives an unauthenticated caller direct access to the tools, databases, and cloud APIs that AI agents rely on — turning a misconfigured dev endpoint into a production-grade backdoor.

• Trend Micro's follow-up scan counts 1,467 exposed MCP servers on the public internet, nearly triple the 492 found in their July 2025 baseline.
• Of those, 1,227 still use the legacy SSE transport — a long-deprecated MCP protocol variant — indicating widespread failure to upgrade to more secure Streamable HTTP.
• A separate academic measurement study found that roughly 40% of remote MCP servers expose their tools with no authentication at all, and surfaced nine CVEs traced back to broken OAuth flows.
• Trend Micro discovered CVSS 9.8 command-injection flaws in unofficial AWS and Azure MCP servers, disclosed through ZDI (ZDI-CAN-28042 and ZDI-CAN-28043).
• The "execute_sql" tool was found on 70 exposed hosts, meaning anyone can run arbitrary SQL queries against connected databases without authentication.
• 70 hosts with direct database access, 39 hosts running Graphiti Agent Memory (prime target for memory exfiltration), and at least three servers using "progress_note" features to access patient medical records.
• Censys independently counted 12,520 Internet-accessible MCP services, most unauthenticated, many exposing database-query and command-execution capabilities.
• The exposure has shifted from local dev machines to cloud infrastructure — attackers can now pivot from a single exposed MCP server to full cloud compromise.

Why it matters

MCP servers act as the bridge between AI agents and real systems. When 40% run without authentication and 1,200+ still use deprecated transports, the attack surface for AI tool chains is growing faster than defenders can audit. The presence of "execute_sql" on 70 unauthenticated hosts means database compromise is a single HTTP request away.

What to do

• Audit all MCP servers for public exposure — any server reachable from the internet must require authentication.
• Migrate from SSE to Streamable HTTP and implement OAuth 2.1 for remote MCP connections.
• Remove "execute_sql" and similar high-privilege tools from any MCP server that faces untrusted networks.
• Treat MCP servers as cloud infrastructure subject to the same hardening standards as databases and API gateways.

Links

• Trend Micro: Update on Exposed MCP Servers
• arXiv 2605.22333 — Authentication Security in Real-World Remote MCP Servers
• Censys: MCP Servers on the Internet
• Adversa AI: MCP Security Resources June 2026