{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-mcp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["windows-mcp"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","windows-mcp","CORS"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWindows-MCP versions prior to 0.7.5 are vulnerable to a critical security flaw in the SSE and Streamable HTTP transport modes. This vulnerability exposes the MCP control plane without authentication and enables wildcard CORS handling, effectively allowing unauthenticated remote attackers to execute arbitrary PowerShell commands. The \u003ccode\u003ePowerShell\u003c/code\u003e tool, registered within Windows-MCP, executes caller-controlled commands as the Windows user running the application. This vulnerability arises from the composition of two design flaws: the lack of authentication in the FastMCP instance and the blanket wildcard CORS policy, which permits cross-origin browsers and non-browser HTTP clients to access the MCP control plane. This combination allows attackers to bypass typical security measures, leading to arbitrary code execution on the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an HTTP OPTIONS request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint with a crafted \u003ccode\u003eOrigin\u003c/code\u003e header. The server responds with wildcard CORS headers, including \u003ccode\u003eaccess-control-allow-origin: *\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends an HTTP POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint to initialize an MCP session using the \u003ccode\u003einitialize\u003c/code\u003e method with a specified protocol version and client information.\u003c/li\u003e\n\u003cli\u003eThe server creates an MCP session and returns a session ID to the attacker in the \u003ccode\u003emcp-session-id\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eAttacker sends an HTTP POST request to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint, including the previously obtained \u003ccode\u003eMcp-Session-Id\u003c/code\u003e in the header.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the \u003ccode\u003etools/call\u003c/code\u003e method to invoke the \u003ccode\u003ePowerShell\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eThe attacker includes arguments in the \u003ccode\u003etools/call\u003c/code\u003e request to execute a specified PowerShell command, such as \u003ccode\u003ecalc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Windows-MCP application executes the attacker-supplied PowerShell command using \u003ccode\u003ePowerShell -EncodedCommand\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the target system as the user running Windows-MCP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows remote attackers to execute arbitrary PowerShell commands as the user running Windows-MCP. While Chrome/Edge may block or prompt for public-site-to-localhost requests due to Local Network Access / Private Network Access behavior, the exposure still applies to same-origin/private-origin contexts, browsers or apps without this enforcement, user-approved local-network prompts, browser extensions, and non-browser HTTP clients. This can lead to complete system compromise, data exfiltration, and further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Windows-MCP version 0.7.5 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement authentication for HTTP transports to prevent unauthenticated access to the MCP control plane.\u003c/li\u003e\n\u003cli\u003eRemove wildcard CORS from MCP control endpoints and restrict allowed origins to explicit trusted clients.\u003c/li\u003e\n\u003cli\u003eEnable and propagate transport security settings such as host validation.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP OPTIONS requests with suspicious \u003ccode\u003eOrigin\u003c/code\u003e headers and subsequent requests to the \u003ccode\u003e/mcp\u003c/code\u003e endpoint using the \u003ccode\u003ewebserver\u003c/code\u003e log source and deploy the Sigma rules in this brief to detect and alert on potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T16:47:07Z","date_published":"2026-05-21T16:47:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-windows-mcp-rce/","summary":"Windows-MCP versions prior to 0.7.5 are vulnerable to unauthenticated PowerShell control via HTTP transports due to wildcard CORS and missing authentication, allowing a remote attacker to execute arbitrary PowerShell commands as the user running Windows-MCP.","title":"Windows-MCP Unauthenticated PowerShell Control via HTTP Transports","url":"https://feed.craftedsignal.io/briefs/2026-05-windows-mcp-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows-Mcp","version":"https://jsonfeed.org/version/1.1"}