Windows-MCP Unauthenticated PowerShell Control via HTTP Transports

Windows-MCP versions prior to 0.7.5 are vulnerable to a critical security flaw in the SSE and Streamable HTTP transport modes. This vulnerability exposes the MCP control plane without authentication and enables wildcard CORS handling, effectively allowing unauthenticated remote attackers to execute arbitrary PowerShell commands. The PowerShell tool, registered within Windows-MCP, executes caller-controlled commands as the Windows user running the application. This vulnerability arises from the composition of two design flaws: the lack of authentication in the FastMCP instance and the blanket wildcard CORS policy, which permits cross-origin browsers and non-browser HTTP clients to access the MCP control plane. This combination allows attackers to bypass typical security measures, leading to arbitrary code execution on the affected system.

Attack Chain

1. Attacker sends an HTTP OPTIONS request to the /mcp endpoint with a crafted Origin header. The server responds with wildcard CORS headers, including access-control-allow-origin: *.
2. Attacker sends an HTTP POST request to the /mcp endpoint to initialize an MCP session using the initialize method with a specified protocol version and client information.
3. The server creates an MCP session and returns a session ID to the attacker in the mcp-session-id header.
4. Attacker sends an HTTP POST request to the /mcp endpoint, including the previously obtained Mcp-Session-Id in the header.
5. The attacker calls the tools/call method to invoke the PowerShell tool.
6. The attacker includes arguments in the tools/call request to execute a specified PowerShell command, such as calc.exe.
7. The Windows-MCP application executes the attacker-supplied PowerShell command using PowerShell -EncodedCommand.
8. The attacker achieves arbitrary code execution on the target system as the user running Windows-MCP.

Impact

Successful exploitation allows remote attackers to execute arbitrary PowerShell commands as the user running Windows-MCP. While Chrome/Edge may block or prompt for public-site-to-localhost requests due to Local Network Access / Private Network Access behavior, the exposure still applies to same-origin/private-origin contexts, browsers or apps without this enforcement, user-approved local-network prompts, browser extensions, and non-browser HTTP clients. This can lead to complete system compromise, data exfiltration, and further malicious activities.

Recommendation

• Upgrade to Windows-MCP version 0.7.5 or later to patch the vulnerability.
• Implement authentication for HTTP transports to prevent unauthenticated access to the MCP control plane.
• Remove wildcard CORS from MCP control endpoints and restrict allowed origins to explicit trusted clients.
• Enable and propagate transport security settings such as host validation.
• Monitor web server logs for HTTP OPTIONS requests with suspicious Origin headers and subsequent requests to the /mcp endpoint using the webserver log source and deploy the Sigma rules in this brief to detect and alert on potential exploitation attempts.