The Hidden Risk in Your AI Tools That Most SMBs Don't Know About

That sales AI can read your email. Your customer service chatbot can now pull data from your CRM. Your AI coding assistant just got access to your GitHub repos. This new level of AI integration is powered by something called the Model Context Protocol (MCP)—and security researchers are sounding alarms that businesses need to hear.

MCP, launched by Anthropic in November 2024, has been called the "USB-C for AI applications." It's a standard that lets AI tools connect to your data sources and business systems in a unified way. Major players like OpenAI, Google, and Microsoft have adopted it. And that's precisely why you should care about what happens when it goes wrong.

The Numbers Are Alarming

Security firm Equixly published research finding that 43% of MCP server implementations they tested contained command injection vulnerabilities—basic security flaws that could let attackers run malicious code on your systems. These aren't obscure, theoretical issues. They're the kind of vulnerabilities security professionals thought we solved decades ago, now showing up in brand-new AI integration tools.

In July 2025, JFrog Security Research discovered a critical vulnerability (CVE-2025-6514) in mcp-remote, a popular tool used to connect AI applications to external services. The flaw, with a severity score of 9.6 out of 10, allowed attackers to completely take over systems. The kicker? The tool had been downloaded over 437,000 times, affecting AI development environments across countless organizations.

New Attack Types You've Never Heard Of

The security challenges with MCP go beyond traditional hacking. Security researchers at Invariant Labs demonstrated an attack called "tool poisoning" that exploits how AI agents trust the tools they connect to. In their demonstration, an attacker placed malicious instructions inside a public GitHub issue. When a developer simply asked their AI assistant to "check the open issues," the AI followed the hidden instructions, accessed private repositories, and leaked sensitive data—all while appearing to work normally.

This worked even against Claude 4 Opus, one of the most sophisticated AI models available. The implications are sobering: your AI assistant could be manipulated through content it reads, whether that's a support ticket, a document, or a message from an external source.

Security researcher Simon Willison, who has been tracking these issues since they first emerged, has consistently warned that prompt injection remains an unsolved problem. As he notes, despite years of awareness, the industry still lacks robust solutions for preventing AI systems from being tricked by malicious content hidden in the data they process.

Why This Matters Right Now

The MCP ecosystem is growing explosively. Adoption has accelerated since Anthropic's launch, with thousands of MCP servers now available for everything from file management to business application integrations. But security practices haven't kept pace.

The AI application providers serving your business—the tools your team uses for coding, customer service, sales, marketing, and operations—may be using MCP integrations without having properly vetted their security. Many MCP implementations ship without authentication enabled. Tool descriptions that tell the AI what capabilities are available can be modified after you approve them (a "rug pull" attack). And the protocols that should protect against unauthorized access are often implemented inconsistently or not at all.

What SMBs and Their Security Providers Should Do

The good news: you don't need to become an MCP security expert. But you do need to ask the right questions of your AI application vendors. Think of it like asking a cloud provider about their SOC 2 compliance—it's due diligence that any responsible business should conduct.

Questions to Ask Your AI Vendors

You don't need to understand the technical details—just ask these questions and pay attention to how confidently and specifically they respond.

1. "Does your product connect to other tools or data sources using something called MCP?" This tells you if these risks even apply. If they say yes, keep going.
2. "How do you make sure only authorized people and systems can access our data through these connections?" A good answer mentions multiple layers of verification. Vague answers like "we take security seriously" are red flags.
3. "Do you vet the third-party tools and services your AI connects to? How?" You want to hear that they review and approve integrations before making them available—not just plug into anything.
4. "What stops a bad actor from tricking your AI into doing something it shouldn't?" This gets at the "tool poisoning" problem. Listen for mentions of filtering, monitoring, or limiting what the AI can do automatically.
5. "For sensitive actions—like accessing financial data or sending information outside our company—does someone on our team have to approve it first?" The answer should be yes for anything high-stakes.
6. "If something goes wrong, how would you know? And how would you tell us?" Good vendors monitor their systems and have a plan for notifying customers about security issues.
7. "What are you doing to stay ahead of security risks specific to AI integrations?" Look for specifics: security audits, dedicated security staff, or tools designed for this new category of risk.

For Security Providers Serving SMBs

If you're a managed security provider or IT consultant serving small and mid-sized businesses, MCP security needs to be on your radar. Your clients are adopting AI tools faster than they're evaluating the risks. Here's how to help them:

Start by inventorying AI tools in use across client environments. Many teams are adopting AI assistants, coding tools, and automation platforms without IT oversight. Understand which ones have access to sensitive data and systems.

Next, evaluate the integration architecture. Is the AI tool connecting to local files, cloud services, or internal databases? Each connection point is a potential attack surface. Tools like MCP-Scan from Invariant Labs can help identify vulnerabilities in MCP configurations.

Finally, establish policies for AI tool adoption. Just as you wouldn't let employees install random software with admin access, AI tools with data integrations need vetting before deployment.

The Bottom Line

MCP is becoming the backbone of how AI tools connect to your business. The technology is valuable, but it's immature—and the security gaps are real. The businesses that thrive in the AI era will be those that embrace these tools thoughtfully, asking hard questions and demanding security accountability from their vendors. Don't wait for a breach to make MCP security a priority.

Sources verified as of December 2025. For the latest security guidance, consult the official MCP documentation.