06-27, 09:30–10:15 (Europe/Vienna), Mittlerer Saal (Track 1)
TLDR: If you as an attacker want more tools to gain RCE and persistence MCP is exactly that.
AI agents are rapidly becoming a new interface to enterprise systems: they read internal knowledge, call APIs, and execute actions through connected tools. MCP standardizes this tool access, but it also creates a new, high-impact attack surface: tool execution integrity.
Basically our talk shows all the ways attackers can leverage MCP for RCE and persistence.
In this talk we demonstrate “MCP hijacking in the wild” through an attack demo that shows how a compromised or malicious MCP tool execution path can become an attacker control channel. Critically, we show why common hardening approaches are insufficient in practice by demonstrating bypass and/or time-of-check/time-of-use gaps during the demo itself.
We close with a proof-of-concept integrity protection method designed to raise the bar against MCP toolchain compromise by enforcing trustworthy tool identity and invocation integrity, with practical guidance
I am a security consultant at KPMG. I love breaking AI and using AI to break other stuff. When AI becomes too much hype and magic I go touch some grass and break into buildings.