Exposing the Unseen: Mapping MCP Servers Across the Internet

Summary

Knostic’s research team conducted a systematic study to locate exposed MCP servers on the internet. Leveraging Shodan and custom Python tools, we fingerprinted and mapped production MCP servers. All servers we discovered were insecure and revealed their capabilities to anyone asking. In this series of posts, we are sharing our findings, along with a guide detailing how we fingerprinted MCP servers. We identified a total of 1,862 MCP servers exposed to the internet. From this set, we manually verified a sample of 119. All 119 servers granted access to internal tool listings without authentication. While only servers exposed to the internet were tested, and many others may be running on private networks, the number we identified is relatively low, suggesting that adoption still has a long way to go. None of the servers were secure, and many were unstable when we connected to them and exhibited various bugs. This further indicates the relatively low maturity of the technology and its current stage of adoption. From this, we can conclude that while the technology is being actively explored and adopted, it remains in the early stages of the adoption curve. The systems’ low stability and lack of security are significant concerns. It suggests that, as with previous technologies, security may only be actively introduced after widespread exploitation has already occurred. How We Did It MCP was not originally released with security in mind. Using Shodan and a suite of custom Python tools, we fingerprinted and mapped production servers that responded to unauthenticated, protocol-compliant handshake requests. These servers openly revealed their capabilities to anyone who knew how to ask the right questions. We began by researching the distinctive traits of MCP servers to support accurate fingerprinting. We then trained Shodan to recognize these traits using a script that contains more than 100 Shodan filters. The filters capture multiple dimensions of an MCP server's identity, ...