Dive Brief:
- The vulnerability of the “connective tissue” of the AI ecosystem — the Model Context Protocol and other tools that let AI agents communicate — “has created a vast and often unmonitored attack surface” that is making it easier for hackers to use AI to launch cyberattacks, Cisco said in a report published Thursday.
- Cisco said AI tools’ increasing ability to “execute processes, access databases, and push code on behalf of humans” has become the dominant AI risk and warned companies not to give AI “unsupervised control over critical business functions.”
- The new report also described nation-state hackers’ use of AI and warned businesses about potential AI supply-chain crises.
Dive Insight:
Hackers’ abuse of AI tools has garnered significant public attention, but few business leaders understand how the vulnerabilities in the MCP could make that abuse worse.
MCP has become the de facto standard for connecting AI models to external data sources since Anthropic introduced it in 2024. But over the past few years, theoretical and real-world attacks have exploited flaws in the protocol. Cisco highlighted examples involving WhatsApp chat exfiltration, remote code execution and unauthorized file access.
In another case highlighted in the report, an attacker published a malicious package designed to look like an MCP integration for the Postmark email platform. “It blind-carbon-copied (BCC'd) every email sent through the agent to an attacker-controlled address,” Cisco researchers wrote. “Because AI agents are often trusted with sensitive communications (invoices, password resets, internal memos), malicious tools like this could allow attackers to harvest a treasure trove of sensitive data silently.”
Going forward, Cisco said, “organizations should start to treat MCP servers, agent tool registries, and context brokers with the same hardened approach as they would an API gateway or database.” The company encouraged businesses to establish MCP security best practices, including using APIs that offer AI models the least necessary amount of privileges and closely monitoring AI agents’ activities.
The Postmark package incident highlighted a broader, related AI risk: supply-chain compromises. Similar to the SolarWinds crisis, in which Russian hackers sabotaged a widely used IT management platform, Cisco said “a coordinated, mass supply-chain attack where a widely used AI library or foundation model is compromised at the source” — such as the theft of a signing key for a platform like Hugging Face that led to the distribution of malicious model updates — could have “a profound impact” that would “force industry and government action.”
Until such a crisis precipitates emergency action, Cisco said, “the relative immaturity in defining security protocols and approaches towards this new agentic ecosystem” will make it difficult for businesses to safely use AI agents to boost productivity.
Cisco also predicted that as AI companies got better at detection prompt-injection attacks, hackers would “move deeper into [an AI] model’s memory” and engage in different forms of manipulation. The company cited the example of “vector embedding attacks,” in which hackers tamper with the vector databases where AI models store newly learned information for later use.
Researchers also expect nation-state groups’ sophisticated AI abuse techniques to filter down to the cybercrime ecosystem, leading to “the emergence of automated or custom agentic services on the dark web that can be rented to perform end-to-end hacks.”
“This will democratize advanced cyber capabilities,” Cisco warned, “flooding defenders with machine-speed attacks.”
