Wallarm Research has just released a powerful new Nuclei template targeting a new kind of exposure: the Model Context Protocol (MCP). This isn’t about legacy devtools or generic JSON-RPC pinging. It’s about the protocol fueling next-gen LLM applications — and it’s already showing up exposed in the wild.

What is Model Context Protocol?

MCP, developed by Anthropic, introduces a standardized way for language model hosts to connect with external tools, prompts, and structured resources through JSON-RPC 2.0. Think of it as the USB-C for AI infrastructure: plug-in-anywhere simplicity, with deep execution power behind the scenes. The Model Context Protocol enables platforms like Claude Desktop to call toolchains, reference internal datasets, and generate responses based on dynamic prompt templates — all through a unified interface.

And here’s the risk: as we explored in detail on modelcontextprotocol.io, these MCP servers are often exposed.

What Is the Risk and How Does It Work?

Wallarm’s latest threat intelligence shows dozens of deployments where MCP backends have been unintentionally published to the internet — often by internal AI labs, fast-moving dev teams, or unsecured cloud-hosted experiments. The result: unauthenticated access to sensitive LLM control surfaces. From listing internal prompts and tools, to invoking operations directly, exposed MCP endpoints are a goldmine for adversaries.

To visualize how this works under the hood:

The host (an AI app or IDE) speaks to an MCP Client embedded inside. That client then interacts with the MCP Server via JSON-RPC 2.0. Behind the server sit tools, prompts, and resource definitions. When attackers gain access, they bypass the client entirely and talk straight to the server — invoking methods, exfiltrating data, and probing infrastructure logic designed exclusively for trusted LLMs.

Wallarm’s Solution: Template for Nuclei

To counter this, Wallarm engineered the mcp-jsonrpc2-ultimate-detect template for Nuclei. It goes beyond simple health checks and directly queries every known MCP-exposed method. Methods like tools/list, resources/list, and prompts/list are probed with structured JSON-RPC payloads using pitchfork-mode cycling. Responses are parsed for keys such as available_tools, observatories_by_type, and parameterized fields, confirming if an active MCP server is responding with privileged internals.

A sample payload looks like this in JavaScript:

{
  "jsonrpc": "2.0",
  "method": "tools/list",
  "params": [],
  "id": 1
}

This isn’t just theory. Wallarm has already folded this detection into our own API Security Platform. If your organization uses Wallarm, this detection is automatically applied to all incoming and outbound traffic, and flagged through our Active Threat Verification engine. When an exposed MCP server is detected, it’s not just logged — it’s correlated, fingerprinted, and actionable.

If you’re running your own tests, drop this into Nuclei:

id: mcp-jsonrpc2-ultimate-detect
info:
  name: MCP Server JSON-RPC 2.0 Full Detection (tools/list, etc.)
  author: ivan_wallarm
  severity: high
  description: Detects exposed MCP servers via multiple JSON-RPC 2.0 methods, including tools/list, rpc.discover, resources/list, prompts/list.
  tags: jsonrpc, mcp, rpc, ai, exposure, llm-infra

So where do we go next?

As AI accelerates, so do protocol-level risks. Wallarm is actively mapping the full scope of MCP exposure — from chaining tool calls into simulated RCE to prompt-based identity hijack vectors. We’re developing new behavior-driven detections that can alert even when the exposed server is behind auth, but starts behaving oddly due to hijacked agents. And we’re building fuzzers that target language-specific MCP implementations to push deeper into edge-case attacks.

This is just the beginning.

If your team is already experimenting with LLM infrastructure, or deploying MCP in any form, we’d encourage you to talk with us. Request a demo to see how our platform detects, correlates, and protects against these next-gen protocol exposures. Or if you want to roll up your sleeves and hunt, explore the MCP detection template and plug it into your scanning pipeline.

The future of AI security isn’t just about data — it’s about protocols. And Wallarm’s ready.

The post Wallarm Research Releases Nuclei Template to Counter Threats Targeting LLM Apps appeared first on Wallarm.