Organizations with exposed MCP servers: 1,800+ MCP servers exposed without authentication: How zero trust can secure the AI agent revolution

Exposed AI Servers and Zero-Click Exploits: A Cybersecurity Crisis Unfolds

In a stark revelation last summer, Knostic security researchers uncovered 1,862 publicly exposed MCP (Multi-Tool Chain Protocol) servers, leaving organizations’ AI infrastructure alarmingly vulnerable. A manual review of 119 servers confirmed a disturbing reality: every single instance allowed unauthenticated access to internal tool inventories effectively broadcasting AI capabilities to anyone with the means to look. Far from being abandoned test environments, these were production systems with write access to critical assets, including financial databases, social media accounts, and CRM platforms.

The threat escalated in June 2025 when Aim Security disclosed EchoLeak (CVE-2025-32711), a zero-click exploit targeting Microsoft 365 Copilot. Attackers embed malicious prompts in overlooked document elements speaker notes, hidden comments, or metadata exploiting Copilot’s automated processing to silently exfiltrate sensitive data to attacker-controlled servers. The attack requires no user interaction, leaving victims unaware of the breach. This marks a dangerous evolution in AI-driven cyber threats, where even routine business documents become vectors for undetected compromise.

Source: https://www.csoonline.com/article/4168979/1800-mcp-servers-exposed-without-authentication-how-zero-trust-can-secure-the-ai-agent-revolution.html

Obot AI cybersecurity rating report: https://www.rankiteo.com/company/obots-ai

"id": "OBO1778495141",
"linkid": "obots-ai",
"type": "Breach",
"date": "6/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'type': 'Organization'}],
 'attack_vector': ['Unauthenticated Access', 'Malicious Document Prompts'],
 'data_breach': {'data_exfiltration': 'Yes (via EchoLeak exploit)',
                 'file_types_exposed': ['Documents (with hidden metadata, '
                                        'speaker notes, comments)'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Financial databases',
                                              'Social media accounts',
                                              'CRM platforms',
                                              'Internal tool inventories']},
 'date_detected': '2024-06-01',
 'date_publicly_disclosed': '2025-06-01',
 'description': 'Knostic security researchers uncovered 1,862 publicly exposed '
                'MCP servers, all allowing unauthenticated access to internal '
                'tool inventories, including production systems with write '
                'access to critical assets. Additionally, Aim Security '
                'disclosed EchoLeak (CVE-2025-32711), a zero-click exploit '
                'targeting Microsoft 365 Copilot, enabling silent data '
                'exfiltration via malicious prompts in documents.',
 'impact': {'data_compromised': 'Sensitive data (financial databases, social '
                                'media accounts, CRM platforms, internal tool '
                                'inventories)',
            'systems_affected': ['AI infrastructure', 'Microsoft 365 Copilot']},
 'post_incident_analysis': {'root_causes': ['Publicly exposed MCP servers',
                                            'Lack of authentication',
                                            'Vulnerable Microsoft 365 Copilot '
                                            'implementation']},
 'references': [{'source': 'Knostic Security Researchers'},
                {'source': 'Aim Security'}],
 'title': 'Exposed AI Servers and Zero-Click Exploits: A Cybersecurity Crisis '
          'Unfolds',
 'type': ['Data Exposure', 'Zero-Click Exploit'],
 'vulnerability_exploited': ['CVE-2025-32711 (EchoLeak)',
                             'Publicly Exposed MCP Servers']}