State of MCP Server Security 2025: 5,200 Servers, Credential Risks, and an Open-Source Fix – Astrix Security
Astrix Research’s State of MCP Server Security 2025 report exposes widespread identity and credential security gaps across the rapidly growing Model Context Protocol (MCP) ecosystem. After analyzing over 5,200 open-source MCP server implementations, the findings reveal a concerning trend: 88% of MCP servers require credentials, yet 53% rely on insecure static secrets such as API keys and Personal Access Tokens (PATs). In contrast, only 8.5% have adopted secure, modern authentication methods like OAuth, underscoring a serious identity management and credential hygiene problem across the AI agent landscape.
The MCP framework, originally developed to empower AI agents to interact with APIs and perform autonomous tasks, has become a foundational component of enterprise AI adoption. However, Astrix’s research highlights that most developers have followed outdated security patterns, embedding long-lived credentials directly in configuration files or environment variables. This has created an ecosystem vulnerable to compromise, privilege abuse, and unauthorized access. Alarmingly, 79% of servers store API keys in simple environment variables, exposing secrets on host machines and making them easily retrievable by attackers or malware.
To address this growing threat, Astrix introduced the MCP Secret Wrapper, a new open-source security utility designed to eliminate static credentials from MCP servers. The wrapper retrieves secrets dynamically from secure vaults such as AWS Secrets Manager at runtime, preventing hardcoded exposure while allowing secure, seamless server operation. This tool marks a practical step forward in runtime secret management and non-human identity security, two pillars essential for safeguarding enterprise AI infrastructures.
The research underscores that the problem runs deeper than just static credentials. The root issue lies in the mismanagement of Non-Human Identities (NHIs), service accounts, bots, and agents that operate autonomously across enterprise networks. Without governance, rotation, or least privilege enforcement, these identities become hidden attack vectors. The Astrix report argues for an architectural shift toward short-lived, scoped, and vault-managed credentials, enforced through automation and runtime authorization.
To that end, Astrix’s Agent Control Plane (ACP) provides an enterprise-grade solution for deploying secure-by-design AI agents. Each agent receives just-in-time, short-lived credentials and limited access scopes, dramatically reducing the attack surface and improving compliance posture.
From a methodology standpoint, the Astrix team’s research combined large-scale GitHub analysis, LLM-assisted data classification, and deep credential-type categorization to deliver the most comprehensive snapshot yet of MCP identity security. The dataset revealed over 20,000 unique MCP server implementations, a scale that emphasizes both the opportunity and the risk at hand.
Key Insights
- 88% of MCP servers require credentials, confirming identity reliance across the ecosystem.
- 53% use insecure static credentials (API keys or PATs), rarely rotated or scoped.
- Only 8.5% have adopted OAuth, the gold standard for delegated, secure authentication.
- 79% store credentials in environment variables, leaving secrets exposed on hosts.
- MCP’s identity management remains immature, mirroring the early API security challenges of the 2010s.
The Path Forward
The State of MCP Server Security 2025 makes one thing clear: securing AI agents starts with securing their identities. Developers and enterprises must replace static, hardcoded secrets with vault-based dynamic credentials and enforce identity governance for machine accounts. By combining tools like Astrix’s MCP Secret Wrapper with architectural solutions such as the Agent Control Plane, organizations can move toward zero-standing privilege, continuous credential rotation, and real-time access control for all AI-driven systems.
