MCP Endpoint & Inventory Sprawl - Ultra Security Research

Summary

MCP Sprawl is a crisis of "Inventory Invisibility." It refers to the rapid accumulation of MCP endpoints (often created via git clone and forgotten) that persist across the network without centralized tracking. These "Zombie Servers" maintain valid credentials and production access long after their creators have left the company or the original project has concluded.

Unlike Shadow AI, which focuses on employee behavior and unauthorized tool adoption, MCP Sprawl is fundamentally an infrastructure and asset management problem. The risk isn't what employees are actively doing with AI; it's what forgotten, unpatched, and ownerless MCP servers are passively exposing. This is not a theoretical concern: one financial services organization discovered 847 unknown MCP servers during an audit, with 17 accessing production databases.

What Is the Issue?

MCP Sprawl is an infrastructure visibility and lifecycle management problem. It's like discovering your network has hundreds of servers you never knew existed, each holding credentials to production systems, with no owner, no documentation, and no patch history. The danger isn't active misuse; it's passive accumulation of technical debt that attackers can exploit.

Attack Path

Developers discover MCP as a productivity tool and begin installing community-built servers (git clone, npm install, pip install), tools, and resources without security review.
Teams adopt MCP for AI automation, creating endpoints that connect to internal systems with stored credentials and seamless authentication.
No centralized registry exists. IT and security have no visibility into what's deployed, who owns it, or what permissions it holds.
Risk begins immediately. Many MCP servers run with default credentials, permissive configurations, or known vulnerabilities that attackers actively exploit. Time compounds the problem: developers leave, projects end, and servers continue running with stale credentials and no owner.
An attacker compromises one of these endpoints—likely via credential theft or direct exploitation.
Security teams cannot scope the incident because they don't know the endpoint existed, what it accessed, or what else might be affected. And once they can, it's likely too late.

Conditions That Enable It

Zero-friction deployment: Unlike enterprise software that goes through procurement, MCP servers require nothing more than downloading code from GitHub and configuring easy authentication between clients and tools. There's minimal approval workflow, security review, and registration.
Nascent ecosystem with limited governance: MCP registries are emerging (official MCP Registry, Glama, MCP Catalog, MCP Marketplace), but the ecosystem is still early. There's no universal standard for vetting servers, no required registration, and no regulation around what gets published.
Still early for traditional security tools: EDR, SIEM, and DLP systems have historically classified MCP processes as legitimate developer tools, not security-relevant assets requiring inventory. Vendors are beginning to add MCP-specific detection capabilities, but coverage remains limited.
Credentials scattered across unknown locations: MCP servers store API keys, database passwords, and OAuth tokens in configuration files. With sprawl, these credentials are duplicated across untracked servers. When it's time to rotate a secret or offboard an employee, you can't find everywhere it's stored and you're instantly at risk.

What's Different Because of MCP?

Traditional shadow IT involves employees using unapproved SaaS apps or cloud services. Shadow MCP is fundamentally different in three ways:

Depth of access: SaaS shadow IT typically involves data in one application. MCP servers can access multiple systems simultaneously: your file system, databases, APIs, email, and more.
Autonomous execution: Shadow SaaS requires human interaction. MCP servers are invoked by AI agents that operate automatically, often without human oversight for each action.
Local execution changes the isolation model: Shadow SaaS apps run externally, crossing network boundaries where traffic can be monitored and blocked. MCP servers often run locally on developer machines, inside your perimeter, with direct access to local files, credentials, and system resources. This difference in isolation creates risks that traditional network-based security controls can't see.

What This Enables

Unscoped incidents: When a breach occurs, security cannot determine which systems were exposed because they don't know what MCP endpoints exist.
Persistent access: Forgotten MCP servers with valid credentials become easy targets for attackers.
Supply chain propagation: A compromised MCP package affects all organizations using it, but without inventory, you can't identify affected systems.
Compliance failures: Auditors ask "what systems process customer data?" and you cannot answer because MCP endpoints aren't in your asset inventory.
Orphaned credentials: MCP servers hold secrets that should be rotated when employees leave. Without inventory, these credentials remain active indefinitely.

Root Cause Analysis

MCP sprawl stems from a collision between developer productivity tools and enterprise security requirements.

Friction-Free Adoption

MCP was designed for developer experience and system connectivity, not enterprise governance. The official quick start guide shows you can have a working server in under 5 minutes. This is a feature for individual seamless productivity, but a natural risk for organizational security. There's no built-in concept of registration, approval, or inventory.

Protocol Design Gaps

MCP lacks several features that would enable centralized management:

No official discovery protocol for servers to announce themselves to a registry
No standard for server metadata that would enable automated inventory
No authentication requirements between clients and servers (though OAuth is now becoming commonplace)
No mechanism for servers to easily report what resources or credentials they access

Security Tool Blindness

Traditional security tools weren't built to detect MCP:

EDR/AV: Sees MCP processes as legitimate Node.js, Python, or Docker containers
Network monitoring: May not inspect JSON-RPC traffic or recognize MCP-specific patterns
SIEM: Receives no events because MCP servers often don't generate security-relevant logs
DLP: Cannot inspect data flowing through MCP tool calls
Asset management: Designed for hardware, VMs, and SaaS repositories and resources, not locally-running developer tools and MCP servers

Cultural and Process Gaps

Organizations that successfully manage shadow IT often fail with shadow MCP because:

Developer tools are historically exempt from procurement processes
AI adoption is inherently bottom-up: employees adopt AI assistants individually, then extend them with MCP integrations, bypassing procurement and approval workflows
Security teams lack expertise in MCP architecture and risks
No clear ownership model exists for developer-created integrations
Monitoring internal AI workflows is in its infancy, with few established tools or practices

Risk & Impact Analysis

Why It Matters

"You can't protect what you can't see" is a security cliché because it's true. MCP sprawl creates blind spots that compound over time:

Each new untracked server increases attack surface
Each passing month increases the chance of credential staleness, owner departure, and forgotten access
Each AI agent connected to untracked servers multiplies the potential blast radius

The postmark-mcp incident (September 2025) demonstrated this risk: a backdoored npm package exfiltrated emails for weeks before discovery. Organizations without MCP inventory had no way to know if they were affected.

Impact Categories

Unscoped Incidents

Cannot determine blast radius when breaches occur

Persistent Access

Forgotten servers become long-term attacker footholds

Compliance Failures

Cannot answer auditor questions about data processing

Orphaned Credentials

Secrets in MCP configs not rotated when employees leave

Who Can Exploit or Trigger It

External attackers: Forgotten MCP servers act as persistent access points, and compromise supply chain packages since potential victims can't identify affected systems.
Malicious insiders: Deploy MCP servers for data exfiltration, knowing security has no visibility.
Negligent employees: Create MCP servers with excessive permissions, store credentials and approve actions or tools insecurely, then leave the company without handoff.
Third-party vendors: Provide MCP integrations that customers deploy without inventory, creating hidden dependencies.

Stakeholder Impact

Party	Impact	Risk Level
Security Teams	Cannot assess risk, scope incidents, or enforce policy on invisible assets	Critical
IT Operations	Cannot manage lifecycle, apply patches, or decommission unknown endpoints	High
Compliance/Audit	Cannot demonstrate control over data processing systems	High
Developers	May inherit unmaintained MCP servers with security debt	Medium
Executive Leadership	Liable for breaches involving systems they didn't know existed	High

Proof of Concept

Scenario: The Innovation Lab Layoff

Context: Large enterprise with 5,000 employees. An "AI Innovation Lab" of 12 engineers is tasked with exploring AI-powered automation.

Month 1-3: The lab experiments aggressively.

Team downloads and deploys 40+ MCP servers from GitHub, npm, and community repos.
Servers connect to Salesforce, Jira, Confluence, internal databases, and AWS.
Credentials are stored in local config files for speed. No formal documentation.
IT is aware the lab exists but not tracking what they deploy.

Month 4: Budget cuts hit. The entire AI Innovation Lab is laid off.

Laptops are wiped and returned per standard offboarding.
But 28 MCP servers were deployed to shared dev VMs and staging environments, not local machines.
No one knows they exist. No inventory. No handoff.

Month 5: Servers keep running.

MCP servers continue polling Salesforce, syncing Jira tickets, querying production DBs.
Credentials still work because no one knew to revoke them.
One server running an outdated npm package with a known vulnerability sits exposed.

Month 6: Security incident.

Attacker exploits the vulnerable MCP server on a forgotten staging VM.
Gains access to Salesforce OAuth tokens and internal database credentials.
Lateral movement begins before anyone notices.

Month 7: Incident response.

Security scrambles to scope the breach but can't answer basic questions:
How many MCP servers did the lab deploy?
What systems did they connect to?
Which credentials are compromised?
Former employees are contacted. No one remembers the full list.
Remediation takes 3 months. Full scope is never confirmed.

Why This Works

This scenario illustrates the core of MCP Sprawl: it's not about what employees are actively doing wrong (that's Shadow AI). It's about what forgotten, ownerless infrastructure is passively exposing.

The layoff accelerated the problem, but the risk existed from day one. Without inventory, security had no way to know what was deployed, what it connected to, or what credentials it held. The attackers didn't need anything sophisticated. They found an unpatched server on a forgotten VM and walked in.

The financial services audit that discovered 847 unknown MCP servers shows this isn't hypothetical. Without inventory, every MCP server is a potential blind spot. Every blind spot is a potential entry point. Every entry point without visibility is an incident you may never fully understand.

Potential Mitigations

Implement Automated Discovery

Discovery is the foundation. You cannot manage what you cannot see.

Deploy network-level detection for MCP protocol signatures: JSON messages with "jsonrpc": "2.0" and MCP-specific methods (tools/list, tools/call, resources/list).
Scan endpoints for MCP client configurations (mcp.json, claude_desktop_config.json, .cursor/mcp.json).
Monitor for processes running known MCP server frameworks (FastMCP, official MCP SDK, etc.).
Use API gateway logs to identify MCP traffic patterns.
Schedule regular network sweeps to catch new deployments between scans.

Establish MCP Asset Management

Create a mandatory MCP registry as part of your asset inventory. Every server and client must be registered with owner, purpose, permissions, environment, and review date.
Treat MCP endpoints with the same rigor as production services: they require approval, documentation, and periodic review.
Assign ownership explicitly. When an owner leaves, MCP servers must be transferred or decommissioned.
Maintain dashboards showing discovered vs. registered endpoints to identify gaps.

Integrate with SBOM and SCA Pipelines

Add MCP servers and their dependencies to your Software Bill of Materials (SBOM).
Run software composition analysis (SCA) on MCP packages to identify vulnerable dependencies.
Track which versions of MCP frameworks and packages are deployed across the organization.
Enable rapid response to vulnerability disclosures by knowing exactly where affected packages run.

Create Lifecycle Management Protocols

Document clear decommissioning procedures for MCP servers when projects end or owners leave.
Include MCP server handoff in employee offboarding checklists.
Establish periodic review cycles (quarterly) to validate that registered servers are still needed.
Automatically flag servers with no activity for 90+ days for review or decommissioning.
Require credential rotation for any MCP server whose owner changes.

Deploy Centralized Governance

Use an MCP gateway or proxy that all servers must connect through. This creates automatic inventory, enables policy enforcement, and provides centralized logging.
Add CI/CD policy checks that block unapproved MCP packages or server configurations.
Apply network segmentation to isolate MCP traffic from sensitive resources.
Block outbound connections from unapproved MCP endpoints.

Severity Rating

Factor	Score	Justification
Exploitability	7/10	Attackers can target known-vulnerable MCP packages or scan for exposed endpoints; requires finding untracked servers
Impact	8/10	Untracked servers may have production access; incidents cannot be scoped; credentials persist indefinitely
Detection Difficulty	9/10	Traditional security tools don't see MCP; no logs generated; appears as legitimate developer activity
Prevalence	8/10	Affects any organization with developers using AI tools; barrier to entry is near-zero
Remediation Complexity	6/10	Discovery tools exist; governance processes can be implemented; requires cultural change

Overall Severity: 7.5/10 (High) — The detection difficulty and prevalence scores drive the severity. Most organizations have MCP sprawl but don't know it.

Shadow AI (rogue LLMs running workflows via MCP)
Lack of centralized inventory / governance of MCP endpoints
Missing audit logs for tool calls
Credential/token passthrough leakage
AI Supply Chain & Third-Party Risks

References

OWASP MCP Top 10: Shadow MCP Servers - Security Framework
Clutch Security: Shadow AI Discovery - Vendor Research
Oasis Security: Lessons from the MCP Breach - Incident Analysis
Prompt Security: Shadow MCP Servers - Threat Research
MCP-Manager: Shadow MCP Detection Checklist - Implementation Guide
Tray.ai: Shadow MCP and AI Sprawl - Vendor Perspective
Pillar Security: AI Asset Sprawl - Conceptual Framework
RTInsights: Shadow MCP in Codebases - Technical Analysis
Cloud Whisperer: MCP Client Sprawl - Best Practices
Noma Security: MCP Server Security - Vendor Solution

Report generated as part of the MCP Security Research Project

Severity: 7.5/10 (High)