1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Security experts flag another worrying issue with Anthropic AI sy

    From TechnologyDaily@1337:1/100 to All on Wednesday, July 02, 2025 19:45:08
    Security experts flag another worrying issue with Anthropic AI systems - here's what they found

    Date:
    Wed, 02 Jul 2025 18:33:00 +0000

    Description:
    There was a way to run malicious code on a dev's device remotely by chaining an old vulnerability with a new one.

    FULL STORY ======================================================================Anthropi c's MCP Inspector project carried a flaw that allowed miscreants to steal sensitive data, drop malware To abuse it, hackers need to chain it with a decades-old browser bug The flaw was fixed in mid-June 2025, but users should still be on their guard

    The Anthropic Model Context Protocol (MCP) Inspector project carried a critical-severity vulnerability which could have allowed threat actors to mount remote code execution (RCE) attacks against host devices, experts have warned.

    Best known for its Claude conversational AI model, Anthropic developed MCP,
    an open source standard that facilitates secure, two-way communication
    between AI systems and external data sources. It also built Inspector, a separate open source tool that allows developers to test and debug MCP servers.

    Now, it was reported that a flaw in Inspector could have been used to steal sensitive data, drop malware , and move laterally across target networks.

    Get 55% off Incogni's Data Removal service with code TECHRADAR

    Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
    and protect your privacy from unwanted spam and scam calls. View Deal
    Patching the flaw

    Apparently, this is the first critical-level vulnerability in Anthropics MCP ecosystem, and one that opens up an entire new class of attacks.

    The flaw is tracked as CVE-2025-49596, and has a severity score of 9.4/10 - critical.

    "This is one of the first critical RCEs in Anthropic's MCP ecosystem,
    exposing a new class of browser-based attacks against AI developer tools,"
    Avi Lumelsky from Oligo Security explained.

    "With code execution on a developer's machine, attackers can steal data, install backdoors, and move laterally across networks - highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP."

    To abuse this flaw, attackers need to chain it with 0.0.0.0. Day, a two-decade-old vulnerability in web browsers that enable malicious websites
    to breach local networks, The Hacker News explains, citing Lumelsky.

    By creating a malicious website, and then sending a request to localhost services running on an MCP server, attackers could run arbitrary commands on
    a developers machine.

    Anthropic was notified about the flaw in April this year, and came back with
    a patch on June 13, pushing the tool to version 0.14.1. Now, a session token is added to the proxy server, as well as origin validation, rendering the attacks moot. You might also like Major US healthcare data provider hit by data breach - over 5 million patients affected, here's what we know Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/security-experts-flag-another-worrying- issue-with-anthropic-ai-systems-heres-what-they-found


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)