Critical mcp-remote flaw lets attackers hijack AI client systems
The JFrog Security Research team revealed that the flaw enables attackers to execute arbitrary operating system commands on machines where mcp-remote initiates connections to untrusted Model Context Protocol (MCP) servers. This vulnerability, which is addressed in version 0.1.16, represents the first documented instance of full remote code execution against a client device via a real-world scenario involving untrusted MCP servers.
Widespread impact
According to the researchers, MCP's popularity has surged due to its use in enabling AI assistants and large language models (LLMs) to interact securely and in real-time with external data and services. The mcp-remote proxy specifically allows LLM hosts, such as Claude Desktop, to communicate with remote MCP servers even when they only natively support connections to local MCP servers. This capacity has seen mcp-remote's adoption in various software and documentation, including official guides from Cloudflare and integrations with platforms such as auth0 and Hugging Face.
The vulnerability exposes users to the risk of arbitrary OS command execution if mcp-remote is used to connect to either a malicious or hijacked MCP server, or to an MCP server over insecure connections. Under such conditions, attackers could gain remote code execution on client systems. The risk is especially pronounced on Windows, where the researchers demonstrated an exploit capable of executing shell commands with full parameter control. On macOS and Linux, the vulnerability enables execution of arbitrary binaries with more limited control, but further research may broaden its applicability.
Attack vectors
JFrog identified two key scenarios through which the attack can be executed. The first involves an MCP client connecting to an untrusted or compromised remote server using mcp-remote, which could be orchestrated by a threat actor setting up a hostile server or hijacking MCP infrastructure. The second scenario leverages insecure connections - specifically, HTTP rather than HTTPS - where an attacker on the same local network intercepts and manipulates MCP traffic between the client and server, a situation more likely when MCP servers within local area networks are trusted implicitly and insecure connections allowed.
Technical breakdown
The vulnerability is triggered during the initial setup between mcp-remote and a remote MCP server. When configuring an LLM host like Claude Desktop to connect to a remote MCP server, users typically enter server details in a configuration file. Upon starting the connection, mcp-remote exchanges authentication data with the server. A malicious server can modify the OAuth endpoint responses - for example, sending a crafted 'authorization_endpoint' URL - which mcp-remote subsequently processes. Due to the flaw, mcp-remote may inadvertently execute arbitrary operating system commands during this process, allowing the attacker significant control over the affected system.
On Windows, the attack chain exploits the way mcp-remote interacts with PowerShell through the open-source 'open' npm package, achieving command execution by inserting specially crafted URLs. Although the same 'open' routines exist on macOS and Linux, their exploitation potential is currently more limited.
Mitigation available
JFrog advises all users of mcp-remote to update to version 0.1.16, which includes a fix for CVE-2025-6514. Additional recommendations include strictly connecting only to trusted MCP servers using encrypted HTTPS connections, and reviewing access policies for MCP infrastructure, especially in environments where remote MCP servers are used.
Or Peles, JFrog Vulnerability Research Team Leader, stated: "While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments, facilitating rapid iteration of code, and helping ensure more reliable delivery of software, MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS. Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem."
The research team also acknowledged Glen Maddern, mcp-remote's primary maintainer, for the prompt resolution and patch deployment addressing the issue.
MCP, an open protocol standard introduced in late 2024, has facilitated the integration of LLMs with external data and enterprise systems, both locally and remotely. While this approach expands the capabilities of AI-powered applications, the discovery of CVE-2025-6514 underlines the security responsibilities associated with deploying and connecting to MCP infrastructure.
Users are encouraged to install the latest version of mcp-remote and to audit existing deployments for potentially vulnerable configurations. Connections to MCP servers should always be established over HTTPS with appropriate trust boundaries to mitigate the risks highlighted by this vulnerability.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
21 hours ago
- Techday NZ
PriceSpider unveils Wayvia to advance AI-driven retail insights
Technology provider PriceSpider has announced the introduction of its new brand, Wayvia, bringing to market a suite of products designed to support brands as they navigate an increasingly complex, AI-driven commerce environment. Wayvia builds on PriceSpider's experience, drawing on over two decades of shopper and retail intelligence. The new brand's product strategy expands on PriceSpider's previous offerings, now integrating deeper artificial intelligence capabilities and broadening its media and data solutions for brands seeking to drive revenue across multiple channels. AI infrastructure Central to Wayvia's launch is the debut of Wayvia MCP (Model Context Protocol), an AI infrastructure that utilises more than 20 years of company data on shopper behaviour, pricing intelligence and market trends. The infrastructure is designed to provide brands with direct, natural language access to product and market data, removing the need for traditional dashboards, SQL databases or manual queries. The company states that Wayvia MCP is the first enterprise-grade solution of its kind, giving AI agents secure, native access to commerce data by implementing the Model Context Protocol directly into its system. "Wayvia reflects our belief that the future of commerce will be shaped as much by intelligent systems as by human decisions," said Anthony Ferry, CEO of Wayvia. "As AI agents and algorithms increasingly influence how products are discovered and purchased, brands need more than traditional dashboards - they need infrastructure built for AI. And Wayvia MCP is our commitment to giving brands the tools to compete, adapt and lead in this new era of commerce." Changing shopper journeys Wayvia's launch signals a response to what the company sees as a shift in retail, where shopping behaviour is becoming less linear and more influenced by algorithms, personalised recommendations, and AI-powered pricing and inventory updates. With retail and shopper intelligence available from any channel, brands are able to access more detailed insights into customer behaviours and optimise the path to purchase, whether in offsite advertising, onsite experiences or through AI agent-driven commerce solutions. The company's stated aim is to provide a smarter path to revenue for brands. This involves equipping them with the visibility, analysis and tools needed to compete within a retail space that has become more complex with the increasing use of digital and omnichannel selling strategies. Core areas According to Wayvia, its core product areas include the activation of omnicommerce path and audience data, the connection of shoppable media with retailer transactions, and the provision of retail intelligence that includes product-level price, availability, channel performance and AI-supported decision making. Wayvia's approach allows brands to apply analytics and AI to power operations and customer journeys, aiming to make shopping experiences more efficient while providing better visibility into real-time data such as pricing and stock availability. Evolution from PriceSpider PriceSpider was originally formed as a price-comparison tool and went on to develop "Where to Buy" technology as part of its service to brands. Over the years, the business evolved into a broader platform aimed at full-funnel omnicommerce performance, supporting brands' adaptability as the retail landscape changed. The renaming and relaunch as Wayvia marks a formal transition to a wider technology focus, with the company maintaining its foundational strengths such as a stable leadership team, reliable client solutions and strong industry partnerships. Wayvia states that it remains committed to enabling global brand growth, with its expansion intended to reflect increased capacity to deliver insights and strategic value through data, AI, and commerce intelligence. With Wayvia, clients are expected to have access to the global network of retailer and media partners that PriceSpider had developed, while benefiting from new capabilities derived from AI and advanced analytics. The changeover keeps in place the core features and partnerships that established the company's credibility, while broadening the set of tools available to brands to engage customers in today's retail environment.
Techday NZ
a day ago
- Techday NZ
Microsoft SharePoint zero-day flaw prompts urgent global response
Organisations around the world are racing to mitigate the impact of a critical zero-day vulnerability in Microsoft's SharePoint server software, which has already been implicated in a series of significant security breaches and is being actively exploited by threat actors, including alleged Chinese nation-state groups. The flaw, catalogued as CVE-2025-53770, was revealed last week after several cyber security researchers, including Microsoft and Google's Threat Intelligence Group, published emergency advisories. Microsoft has clarified that the vulnerability affects only on-premises versions of SharePoint. SharePoint Online, the cloud-based variant included in Microsoft 365, is not impacted by this zero-day flaw. The urgency of the threat became clear after Eye Security researchers published findings that highlighted "active, large-scale exploitation" of the flaw, which they related to a set of vulnerabilities coined "ToolShell." Attackers who successfully exploit CVE-2025-53770 can access sensitive MachineKey configuration details on vulnerable servers, including the validationKey and decryptionKey. These critical parameters can then be used to craft specially designed requests that enable unauthenticated remote code execution, effectively giving attackers full control over the targeted servers. Late breaking fixes for SharePoint Server 2019 and SharePoint Subscription Edition have been made available, with a patch for SharePoint Server 2016 expected to follow. Organisations are being urged to conduct incident response investigations, apply available patches, and closely review Microsoft's temporary mitigation instructions to limit exposure. In recent reports, the scope and impact of the exploit have become clearer. More than 100 servers across at least 60 global organisations, including critical infrastructure such as the US National Nuclear Security Administration, have reportedly been breached via the vulnerability. Cyber security analysts have attributed the campaign to Chinese state-linked groups, among them Linen Typhoon, Violet Typhoon, and Storm-2603. These groups are said to have used stolen credentials to establish persistent access, potentially enabling ongoing espionage even after patches are applied. According to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, attackers are using the vulnerability to install webshells - malicious scripts that provide ongoing unauthorised access - and to exfiltrate cryptographic secrets from compromised servers. This presents a substantial risk to organisations, as it allows persistent, unauthenticated access by malicious actors. "If your organisation has on-premises Microsoft SharePoint exposed to the internet, you have an immediate action to take," Carmakal said. He stressed that mitigation steps must be implemented without delay, as well as the application of patches as they become available. "This isn't an 'apply the patch and you're done' situation. Organisations need to assume compromise, investigate for any evidence of prior intrusion, and take appropriate remediation actions." Satnam Narang, Senior Staff Research Engineer at Tenable, warned of the widespread consequences, stating: "The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected. Attackers were able to exploit the flaw to steal MachineKey configuration details, which could be used to gain unauthenticated remote code execution." Narang added that early signs of compromise could include the presence of a file named although it might carry a different extension in some cases. Bob Huber, Chief Security Officer and President of Public Sector at Tenable, commented: "The recent breach of multiple governments' systems […] is yet another urgent reminder of the stakes we're facing. This isn't just about a single flaw, but how sophisticated actors exploit these openings for long-term gain." Huber noted that because Microsoft's identity stack is so deeply embedded in government and corporate environments, a breach in SharePoint can create "a massive single point of failure." He argued for a more proactive, preventative approach to cyber security, emphasising the need for exposure management platforms that provide unified oversight across complex infrastructures. For now, the coordinated response by vendors, security firms, and government agencies continues, as organisations track for signs of compromise and await further guidance on long-term remediation. The incident serves as a stark reminder of the intricate cyber threats faced by modern institutions, and the pressing need for rigorous, ongoing defence strategies against ever-evolving adversaries.
Techday NZ
3 days ago
- Techday NZ
Kiwi children face cyberbullying as more turn to AI support
New research has highlighted the prevalence of cyberbullying and the increasing reliance of children in New Zealand on artificial intelligence for emotional support. The 2025 Norton Cyber Safety Insights Report: Connected Kids provides a detailed view of the challenges facing parents of school-aged children as they manage risks associated with digital engagement. The report is based on an online study of 1,001 adults across New Zealand and has found that 13% of parents say their children have been victims of cyberbullying, while 23% disclose that their children are turning to AI companions for support. Generational shift The study identified a notable shift in the age at which children are receiving their first mobile phones. Adults reported, on average, being 24 when they first owned a mobile. However, this figure drops to an average age of 12 for the current generation of children. The data reveals that Generation Z acquired their first phone at 14, Millennials at 16, Generation X at 26 and Baby Boomers at 41. The decreasing age at which children become digitally connected reflects the growing role of technology in everyday life and highlights challenges for parents, many of whom had a different experience growing up. "Childhood today is radically different, and online activities blend into real life shockingly fast. Parents now play a frontline role in keeping their families safe as digital life starts earlier and earlier," said Mark Gorrie, Norton Managing Director APAC and father of two. Gorrie continued, "Our study reveals that on average, Kiwi adults today were 24 years old when they got their first mobile phone. But the generational gap is striking. Gen Z got theirs at just 14, Millennials at 16, Gen X at 26, and Boomers at 41. Children of parents in this study are getting their first mobile even earlier, with an average age of 12. With devices landing in kids' hands younger than ever, parents need both more support and a greater commitment to navigating the realities of raising digitally connected kids." Cyberbullying patterns The study outlines how cyberbullying is perpetrated and experienced. Of the parents surveyed who reported cases of cyberbullying, 41% indicated the perpetrator was a classmate or peer. Visual-led social media platforms are frequently cited in these incidents, with Snapchat and Instagram at the forefront (both at 33%), followed by Facebook (30%) and TikTok (28%). Bullying is not confined to social media alone, with 26% of parents indicating that their children were bullied via text messages. Almost half of parents (46%) stated they were aware that their child was experiencing cyberbullying before the child disclosed it, though 28% admitted they have not discussed online safety with their children. This gap between awareness and action leaves children potentially vulnerable when risks escalate. Screen time and digital boundaries Parents continue to face difficulties enforcing screen time limits. Although 72% attempt to set boundaries, children can often circumvent parental controls. The study found 21% of parents said their child admitted to bypassing restrictions, whilst another 31% found out later their child had done so secretly. Online risks encountered by children extend beyond excessive usage. Parents reported incidents including staying up late on devices (31%), accessing restricted sites (10%), sharing personal information with strangers (10%), viewing explicit material (9%), and cyberbullying others (4%). AI as a companion The emergence of AI as a digital companion is identified as a new trend, with 23% of parents reporting their children use AI for emotional support. Some parents express concern about the impact of AI, with 34% stating it is not beneficial for their child's learning or creativity. Despite these concerns, only 41% of parents have discussed AI-related risks, such as deepfakes and misinformation, with their children. "As AI-powered tools and AI companions become more common, parents face a bigger task than they may realise. Our study shows that around one in three Kiwi parents (30%) already take the right approach by regularly checking their child's devices – reviewing app usage, settings, and installed apps. It's a habit more Kiwi families should adopt to help guide children safely in the digital world." says Gorrie. Parental guidance and recommendations The report points to the importance of proactive engagement by parents in their children's digital lives. It recommends that parents begin conversations about online safety early, use parental control tools thoughtfully, teach children to recognise warning signs, model responsible technology use, and remain involved by regularly discussing online activity and trends. The findings underscore a need for ongoing education, support, and awareness for parents to help children navigate the complexities of the digital world safely as access to technology and AI becomes increasingly prevalent at younger ages.
