Derek: Hey everyone, welcome back to Autonomous Autopsy. Six episodes in and this might be the messiest one yet. Okay, so we've got a mess to open with this week. Anthropic basically shrugging on a remote code execution bug. Wait, shrugging? On purpose? Pretty much. I mean, OX Security disclosed it back in April and it's systemic, baked deep into their SDK. And the fix was no fix, basically. So that's where we start. And then get this,
Max: Mm-hmm.
Derek: Black Hats got a briefing claiming Anthropic, Google, and OpenAI agents all fail the exact same trust handoff. All three? Reportedly, plus a cheap 30 billion parameter open model supposedly out-hacking the frontier ones. Okay, we need that whole segment. DEF CON's theme this year is agency, which, given everything we just said, is either brilliant or a cry for help. Little of both. AI Village is running a poster track just on attacking agents. And then the wildest thing on the whole show floor, an All-Autonomous capture the flag. No humans, just agents hacking agents on shared cloud GPUs. Shared GPUs.
Speaker 3: Wow.
Derek: We have thoughts about that. We're also tracking the MCP CVE count and it's climbing fast. Fast enough the scanning tools might already be behind. For the non-engineers in the audience, that's a lot of holes. Fast. Cool. Cool, cool, cool. Very cool. Let's start where this whole story actually starts, with Anthropic calling a hole in their own SDK a feature. Picture a bug report where the vendor's basically saying, yeah, we know, we're not fixing it.
Speaker 4: That's not hypothetical, is it?
Derek: Nope. OX Security dropped this in April, nicknaming it the mother of all AI supply chains. It's about Anthropic's own MCP SDK.
Speaker 4: The Model Context Protocol, the thing half the industry just bolted onto their agents?
Derek: Exactly. And the RCE is baked into the SDK itself. Hell, Python, TypeScript, Java, Rust, all four.
Speaker 4: Wow.
Derek: Wait, all four languages have the same whole? Same root cause. The STDIO transport. You pass a configuration string meant to launch a local server process, and that string gets executed as a shell command, no sanitization required. So if I can touch that config field, you own the box. OX put the exposure at over 150 million downloads. in more than 7,000 publicly reachable servers.
Speaker 4: Cool, cool, cool, cool.
Derek: In the part that got me, Anthropic's response wasn't a patch; it was a shrug. Anthropic told OX that the STDIO execution model is, quote, expected behavior and sanitization is the developer's job. Hold on, hold on. They called an RCE a feature? Apparently, the SDK still ships that way today. So every developer who trusted the reference implementation just inherited a shell execution primitive with no warning label. That's the shape of it, and it's not theoretical. Researchers used the exact same root cause to get authenticated RCE on Letta AI. Letta, the agent memory framework, that one. And on LangFlow it got worse. Unauthenticated, full server takeover because OX found the MCP config. The big panel exposed to the internet with zero auth in front of it. Unauthenticated? Just send a request and you're in? That's the disclosures claim. So a protocol vendor is telling thousands of downstream teams, figure it out yourselves, and that's just the standard now? That's the position. Anthropic's Frames STDIO is a secure default because it's local by design. OX's argument is that a primitive this dangerous shouldn't ship with zero guardrails when it's getting embedded everywhere. I keep landing on the accountability question. When the protocol owner says, not my problem, who's supposed to catch this before it hits production? That's the exact question a lot of security researchers are about to spend a week arguing about in Vegas. Speaking of nobody patching anything, Black Hat's already lining up talks that prove this isn't a one vendor problem. Oh, tell me it's not another MCP. Worse, Black Hat USA runs August first through sixth at Mandalay Bay, ITSPmagazine's breakdown has trainings running the first four days, then a two day main conference. So four days of how to hack, then two days of look what we hacked. Basically. And tucked in there, August fourth, there's a dedicated AI summit before the briefings. The briefing's even open. What's actually on the docket? This year's briefings lean hard into AI offense and defense, plus AI-driven attacks on hardware and embedded firmware, but one talk stands out. It's called Trusted Enough to Run. Ominous title. It's about the trust handoff, the moment an agent framework decides a tool call or a sub-process is safe to run without a human checking. One piece covering Black Hat's AI agent track. From the agentic protocol:
Speaker 4: Wow.
Derek: Says this talk reproduces that exact failure across Anthropic, Google, and OpenAI agent workflows. Simultaneously. Wait, same bug, three different companies? Not the same bug, same category of bug. Different code bases, same blind trust. And here's the part that keeps me up.
Speaker 4: Mm-hmm.
Derek: That same piece cites a fine-tuned 30 billion parameter open model hitting a 56% exploit success against agent. Agents, fifty six per cent. at a fraction of frontier model cost. So if an open source model a fraction of the size can out attack the big guys, size stops being the security pitch. Exactly; our models bigger doesn't mean safer anymore. Brutal for every sales deck leaning on scale as a security feature. Trust our frontier model hits different when a thirty b knockoff is the one doing the breaking in. And that accountability question, who answers when the agent pulls the trigger? Doesn't stay in Mandalay Bay. It walks straight to DEF CON. Flip that on its head for a second. DEF CON's official theme this year is agency. I read that nearly choked on my coffee. Self-determination in tech? That's literally DEFCON's own framing for it. Yeah, that's straight from DEFCON's own announcement. And here we are talking about agents that can't self-determine past a bad prompt. Dates are locked, August 6th through 9th, Las Vegas Convention Center. AI Village confirmed they're back with demos, CTF... Actually Community Programming And this year They're not just running booths. New poster track—adversarial attacks on agents and agentic systems. Open to what kind of work? In-progress research, negative results, reproductions, threat models, anything that isn't a polished vendor pitch. Which,
Max: Mm-hmm.
Derek: after Black Hat's trust handoff mess, feels less like coincidence and more like the whole field converging on one fire. AI Village's own pitch is that they're stripping the hype Hype out. No-bullshit AI security work, full stop. Honestly, after expected behavior, blunt sounds great. There's a drop in workshop track, too: how LLMs actually work under the hood, prompt injection tactics, even manipulating malware detection models. So people walk in and learn to break the exact systems Black Hat is about to put on stage. Same week, same city. Vegas turns into a two-week stress test on agentic AI. Back-to-back. And DEF CON hands us a theme about empowerment when the real question is who's actually driving. The irony writes itself. The poster tracks just the setup, though. There's one contest that takes zero humans deciding all the way to its end point. Oh, I already know which one you're about to bring up. Building on that agency joke, the wildest version of it is a contest called HalCTF. The all-autonomous one? Fully autonomous. DEF CON's own contest page calls it DEF CON's first all-autonomous capture-the-flag, no human touching a keyboard. Wait, none. So who's scouting and exploiting? Self-contained Docker operators running on local LLM infrastructure, they scout, exploit, and pivot through live targets solo. Okay, plot twist. No Claude, no Codex, no Gemini allowed. Banned on purpose, DEF CON frames it as breaking dependence on providers who can cut off access whenever they feel like it. So it's basically a giant we don't need you aimed at Anthropic, OpenAI, and Google, the same three we've been picking apart all episode. Pretty much. Every participant also gets a dedicated GPU on Google Cloud and fine-tunes their own pen-testing agent live. Live during the event. Wait, live? Mid-contest? Mid-contest. It's a public experiment. Can open weight models actually keep pace with frontier models on offense? Which lands right after that Black Hat talk on the cheap model beating frontier ones. Same tension, different stage. And nobody's talking about this part: dozens of unattended agents hammering live targets on one shared GPU cluster. That cluster is a target too. Right? Cross-tenant leakage? A compromised operator pivoting into someone else's fine-tuning job? Nobody's modeled that threat yet. DEF CON won the exact attack surface is trying to show defenses against. Honestly. So, does open weight actually win? We find out in August, but the CVE numbers piling up on MCP servers already hint which way this is trending. Oh, we're going there next. Yeah, same broken architecture, just a much bigger scoreboard now.
Speaker 3: Oh, you mean the CVE count?
Derek: Yeah, the vulnerable MCP project's database has logged more than 40 CVEs against MCP implementation since January across all four SDK languages.
Speaker 3: Whistles. 40 since January.
Derek: An off-seds timeline of MCP breaches puts the pace at roughly one new CVE every four days. All days, all year.
Speaker 3: That's faster than most teams even patch.
Derek: Way faster.
Speaker 3: Okay, what's actually in these forty? Please tell me it's not all the same bug wearing a new hat?
Derek: Mostly, yeah. Exec and shell injection alone account for an estimated forty-three per cent of everything filed.
Speaker 3: Forty-three percent—one root cause. Cool, cool, cool.
Derek: And a survey found something like thirty-eight to forty-one percent of registered MCP
Speaker 3: MCP servers have no real authentication at all. Wait, four in ten servers just
Speaker 4: Mm
Speaker 3: open?
Speaker 4: —hmm.
Speaker 3: Just open. Same pattern as the LangFlow takeover from the cold open. Nobody's checking who's on the other end. So does anything catch this before it ships? Invariant Labs has MCP scan? Registry audits exist? They do. Researchers are pretty blunt that neither is close to matching the exposure. So we built a scanner for a fire that's already forty buildings deep. It's deep.
Derek: Basically, the tooling's chasing a curve it can't catch,
Speaker 3: and NSA and CISA's security design guidance on MCP treats the trust boundary problem as structural, not something you patch once.
Derek: Which is the same root cause from the cold open, just multiplied across every SDK and every registry entry.
Speaker 3: So walking into two overlapping conferences with disclosures dropping this fast?
Derek: Yeah, and there's one thing you can actually check before you even board your flight.
Speaker 3: Your flight. With the flight to Vegas a month out, let's talk actual conference strategy. Please, skip the hype panels. Exactly. Skip anything titled "The Future of Agentic AI" and look instead at sessions on trust boundaries and tool call validation. Those are the talks that will actually change what you patch Monday. Right. And don't just sit through the schedule passively-keep the MCP CVE feed open on a second screen the whole week. Week live during the show? Given the filing pace we just covered, new disclosures could drop mid keynote. You want to know before the hallway track does. Nothing like patching from a hotel room at two a.m. Better than finding out from a tweet three weeks later. Fair. So trust boundary talks, CVE feed pinned open. What's the one thing people do before they even pack a bag? That's you, Max. Before you board that flight, run MCP Scan or whatever. However equivalent your team trusts against every single MCP server in your production stack, get an exact count of unauthenticated STDIO endpoints sitting there right now. Write the number down, bring it to the first meeting back. So that's the episode. Anthropic calling a remote code execution a feature, and somehow that wasn't even the wildest part. Right; the wildest part is watching autonomous agents duke it out on borrowed GPUs at DEF CON while nobody's checked who else is on that cluster. If there's one takeaway, the CVE feed is moving faster than most teams can patch. Trust boundaries need eyes on them, now, not after Black Hat. Exactly. So go read your MCP configs before you leave for Vegas. That's the real homework. Or actually, that's just Monday. Close enough. New episodes drop every Tuesday. Subscribe wherever you're listening. And if this kept you from shipping a bad deployment,
Derek: leave us a review. leave us a review.
Max: Thanks for spending this one with us.
Derek: We'll see you next week, hopefully with fewer RCEs. No promises.

