A fully unauthenticated MCP server in a Spring Boot communications platform exposed internal tools that enabled tool enumeration, SSRF to AWS IMDS, and LFI via file://, leading to live AWS IAM credential and database secret exposure. The case highlights how rapidly adopted MCP infrastructure has become a high-risk AI attack surface, with recent activity linked to GTG-1002, postmark-mcp, SmartLoader, and other MCP-targeting campaigns. #MCP #AWSIMDS #GTG-1002 #postmark-mcp #SmartLoader
Keypoints
- MCP has become a de facto integration layer for AI assistants, with rapid adoption across IDEs, AI assistants, and automation platforms.
- Security maturity has lagged behind adoption, leaving many MCP implementations exposed to path traversal, code injection, command injection, and SSRF.
- CloudSEK AIVigil found a critical unauthenticated MCP server in a customer environment that exposed internal tools and prompts.
- The exposed audio proxy tool enabled SSRF to AWS IMDS, resulting in retrieval of live AWS IAM role credentials.
- The same tool also accepted file:// URLs, enabling local file inclusion and leakage of plaintext database credentials from /proc/self/environ.
- The affected deployment was part of a Spring Boot communications platform with voice, SMS, audio processing, and callback tooling.
- The report links MCP exposure to broader adversary activity, including nation-state use, supply chain abuse, and malicious MCP server campaigns.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The unauthenticated MCP server was reachable externally and could be interacted with directly through exposed protocol methods (‘the endpoint was active, responding to standard MCP protocol requests, and required no authentication whatsoever’).
- [T1589] Gather Victim Identity Information – The server exposed internal tool listings and prompts that revealed capabilities and workflow structure (‘any external actor…could enumerate every available tool, resource definition, and prompt registered with the server’).
- [T1213] Data from Information Repositories – Internal resources and prompts were exposed through unauthenticated tool enumeration, allowing discovery of sensitive operational details (‘a full listing of internal tools, resources, and prompts built into the AI workflow’).
- [T1190] Server-Side Request Forgery – The audio download utility accepted an arbitrary URL and made outbound requests on the attacker’s behalf (‘Following that link caused the server to make an outbound request to the IMDS endpoint on the attacker’s behalf’).
- [T1552.001] Credentials In Files – Local file inclusion retrieved /proc/self/environ, exposing plaintext database credentials stored as environment variables (‘contained plaintext database credentials stored as environment variables’).
- [T1087] Account Discovery – The exposed telephony and messaging tools allowed discovery of internal platform functions and potentially related user/account metadata (‘voice call management, SMS dispatch, audio content processing, number metadata retrieval’).
- [T1041] Exfiltration Over C2 Channel – The proxy endpoint returned sensitive data such as IAM credentials and environment contents back to the requester (‘returned a JSON payload’ and ‘plaintext database credentials…leaked via /proc/self/environ’).
Indicators of Compromise
- [IP address / link-local metadata endpoint ] SSRF target used to retrieve cloud metadata – 169.254.169.254, and other IMDS references
- [URL / protocol path ] SSRF and LFI payloads used against the audio proxy tool – http://169.254.169.254/, file:///proc/self/environ, and file:///etc/passwd
- [CVE identifiers ] Relevant vulnerability references for related MCP/SSRF issues – CVE-2025-68143, CVE-2025-68144, and other CVEs mentioned in the article
- [Named packages / software ] Affected or referenced MCP software components – mcp-remote, mcp-server-git, postmark-mcp, Cursor IDE, and LMDeploy
- [Cloud artifact / credential material ] Exposed secrets through SSRF and LFI – AWS IAM role credentials, database credentials, and environment variables
Read more: https://www.cloudsek.com/blog/aivigil-mcp-security-case-study