Executive Summary
In January 2026, Anthropic addressed critical vulnerabilities in its Git MCP server, a key component of the Model Context Protocol enabling AI tools to interact with code repositories. Security researchers identified three significant flaws: a path validation bypass (CVE-2025-68145), an unrestricted git_init issue (CVE-2025-68143), and an argument injection flaw in git_diff (CVE-2025-68144). These vulnerabilities, particularly when combined with the Filesystem MCP server, could allow remote code execution or file tampering via prompt injection. Reported in June 2025, these issues were patched by Anthropic in December 2025 with version 2025.12.18. While no active exploitation has been confirmed, this incident highlights the growing risks associated with integrating complex AI systems, where safe components may become vulnerable when used together. The event also references a prior incident from November 2025, where Anthropic's Claude AI was manipulated in a cyberespionage campaign targeting major global entities, underscoring the broader cybersecurity challenges linked to rapid AI adoption.
Why This Matters Now
The rapid integration of AI systems into critical infrastructure has introduced new attack vectors, as demonstrated by the vulnerabilities in Anthropic's Git MCP server. This incident underscores the urgent need for robust security measures in AI development and deployment to prevent potential exploitation and safeguard sensitive data.
Attack Path Analysis
An attacker exploited vulnerabilities in a locally hosted MCP server to execute arbitrary code, escalating privileges to gain deeper system access. They moved laterally to compromise additional systems, established command and control channels, exfiltrated sensitive data, and ultimately disrupted operations by manipulating AI assistant behaviors.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited vulnerabilities in the locally hosted MCP server to execute arbitrary code with user privileges.
Related CVEs
CVE-2025-68145
CVSS 6.4A path validation bypass in Anthropic's Git MCP server allows attackers to execute arbitrary code remotely.
Affected Products:
Anthropic Git MCP Server – < 2025.12.18
Exploit Status:
proof of conceptCVE-2025-68143
CVSS 6.5An unrestricted git_init issue in Anthropic's Git MCP server enables remote code execution.
Affected Products:
Anthropic Git MCP Server – < 2025.12.18
Exploit Status:
proof of conceptCVE-2025-68144
CVSS 6.3An argument injection flaw in git_diff of Anthropic's Git MCP server allows remote code execution.
Affected Products:
Anthropic Git MCP Server – < 2025.12.18
Exploit Status:
proof of conceptCVE-2025-49596
CVSS 9.4A CSRF vulnerability in MCP Inspector allows remote code execution via crafted web pages.
Affected Products:
Anthropic MCP Inspector – < 2025.07.03
Exploit Status:
proof of conceptCVE-2025-53967
CVSS 8A command injection vulnerability in figma-developer-mpc allows remote code execution.
Affected Products:
Framelink figma-developer-mpc – < 0.6.3
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Compromise Infrastructure: Server
Command and Scripting Interpreter
Spearphishing Attachment
Application Layer Protocol
Impair Defenses
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data
Control ID: Pillar 3
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
MCP server supply chain attacks targeting AI integrations enable code execution, data exfiltration through development pipelines and software distribution channels.
Information Technology/IT
Zero trust segmentation failures allow lateral movement through MCP server chains, compromising multicloud visibility and egress security controls across IT infrastructure.
Financial Services
HIPAA and PCI compliance violations through encrypted traffic interception and east-west security gaps enable credential harvesting in financial AI systems.
Computer/Network Security
Threat detection capabilities bypassed by malicious MCP servers exploiting Kubernetes security gaps and cloud firewall misconfigurations in security platforms.
Sources
- MCP Server Security: The Hidden AI Attack Surfacehttps://www.praetorian.com/blog/mcp-server-security-the-hidden-ai-attack-surface/Verified
- Anthropic's official Git MCP server had some worrying security flaws - this is what happened nexthttps://www.techradar.com/pro/security/anthropics-official-git-mcp-server-had-some-worrying-security-flaws-this-is-what-happened-nextVerified
- Anthropic MCP Server Flaws Lead to Code Execution, Data Exposurehttps://www.securityweek.com/anthropic-mcp-server-flaws-lead-to-code-execution-data-exposure/Verified
- Anthropic Model Context Protocol (MCP) Inspector Remote Code Execution Vulnerability (CVE-2025-49596)https://threatprotect.qualys.com/2025/07/03/anthropic-model-context-protocol-mcp-inspector-remote-code-execution-vulnerability-cve-2025-49596/Verified
- Worrying Framelink MCP security flaw could let hackers execute code remotely - here's how to stay safehttps://www.techradar.com/pro/security/worrying-figma-mcp-security-flaw-could-let-hackers-execute-code-remotely-heres-how-to-stay-safeVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained, reducing the likelihood of successful code execution.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of system access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been constrained, limiting access to additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels could have been limited, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been constrained, limiting data loss.
The attacker's ability to disrupt operations could have been limited, reducing operational impact.
Impact at a Glance
Affected Business Functions
- Software Development
- Data Management
- IT Operations
Estimated downtime: 14 days
Estimated loss: $500,000
Potential exposure of sensitive code repositories, internal documentation, and user data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access between workloads and limit lateral movement.
- • Enforce East-West Traffic Security to monitor and control internal communications, detecting unauthorized movements.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities in real-time.
- • Utilize Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Ensure Multicloud Visibility & Control to maintain oversight across all cloud environments and detect anomalies.
