A zero-click vulnerability in Anthropic’s Claude AI assistant — one that could have allowed attackers to take over a user’s computer through a poisoned document — sat exposed until security researchers found it and worked with the company to patch it. The flaw, disclosed in late March 2025, represents one of the most concrete demonstrations yet of how AI tool extensions can become attack vectors with devastating consequences. No user interaction required. Just opening a file was enough.
The vulnerability was discovered and reported by security researchers at Apex Security, who detailed how a specially crafted prompt hidden inside a document could hijack Claude’s Model Context Protocol (MCP) extensions to execute arbitrary commands on a victim’s machine. According to The Hacker News, the attack chain exploited the way Claude processes instructions embedded in external content — a class of weakness known as indirect prompt injection — and turned it into a full remote code execution exploit.
That’s not a theoretical risk. That’s a working exploit chain.
To understand why this matters, you need to understand MCP. Anthropic introduced the Model Context Protocol as an open standard that lets AI models interact with external tools, data sources, and services. Think of it as a universal adapter: MCP extensions give Claude the ability to read files, query databases, execute code, and interact with APIs. The protocol was designed to make Claude more useful in real-world workflows, and it has succeeded at that. But the same capabilities that make MCP powerful also make it dangerous when trust boundaries break down.
And that’s exactly what happened here. The Apex Security team found that when Claude processed a document containing hidden malicious instructions, it could be tricked into invoking MCP tool calls that the user never authorized. The attack worked because Claude treated instructions embedded in external content with the same level of trust as direct user commands. A poisoned PDF, a shared document, even a webpage — any content that Claude ingested could carry the payload. The victim didn’t need to click anything, approve anything, or even notice anything unusual. Claude would simply follow the embedded instructions, call the relevant MCP extension, and execute commands on the host system.
The implications are staggering for enterprise environments where Claude is deployed with filesystem access, code execution capabilities, or connections to internal tools. An attacker who understood the target’s MCP configuration could craft a document that, once opened or summarized by Claude, would silently exfiltrate data, install malware, or establish persistent access. The attack surface scales with the number and power of installed extensions.
Anthropic responded quickly after Apex Security’s disclosure. The company patched the vulnerability by implementing stricter permission boundaries for MCP tool invocations and adding safeguards against indirect prompt injection in extension contexts. A spokesperson for Anthropic confirmed to researchers that the fix was deployed before any known exploitation in the wild. But the episode has triggered a broader reckoning within the AI security community about the fundamental architecture of tool-using AI systems.
The core problem isn’t unique to Claude. It’s structural.
Every major AI assistant that supports tool use — OpenAI’s ChatGPT with plugins, Google’s Gemini with extensions, Microsoft’s Copilot with connectors — faces some version of this risk. When an AI model can take actions in the real world, the question of who is giving the instructions becomes existential. Indirect prompt injection attacks exploit the gap between what the user intended and what the model was manipulated into doing by content it processed. Researchers have been warning about this class of vulnerability for over two years, but the Claude MCP exploit is among the first to demonstrate a complete, zero-click attack chain from document to code execution.
Simon Willison, an independent security researcher who has written extensively about prompt injection risks, noted on his blog that the MCP architecture “dramatically increases the blast radius” of prompt injection attacks. When the worst thing an AI could do was generate misleading text, prompt injection was an annoyance. When the AI can execute shell commands, it becomes a critical security vulnerability. The distinction matters enormously.
Security firm Trail of Bits published research in early 2025 examining the attack surface of MCP-compatible tools, concluding that most implementations lacked adequate sandboxing and permission controls. Their analysis found that many MCP servers — the components that bridge Claude to external tools — ran with the same privileges as the user, meaning any command Claude was tricked into executing would have full access to everything the user could touch. Files, credentials, network resources. All of it.
So where does this leave organizations that have integrated Claude into their workflows?
First, the immediate risk from this specific vulnerability has been mitigated. Anthropic’s patch addresses the particular exploitation path that Apex Security identified. But the broader class of attack remains an active area of concern. Organizations running MCP extensions should audit which tools are installed, what permissions they grant, and whether those permissions follow the principle of least privilege. An MCP extension that can read and write to the entire filesystem is a fundamentally different risk proposition than one scoped to a single directory.
Second, the incident highlights the need for runtime monitoring of AI tool invocations. Traditional endpoint detection and response (EDR) tools weren’t designed to flag suspicious behavior originating from an AI assistant’s tool calls. A new category of security tooling is emerging to fill this gap, but adoption remains early. Companies like Protect AI and Calypso AI have begun offering monitoring solutions specifically designed for AI agent behavior, though the market is still nascent.
Third — and this is the uncomfortable truth — there is no complete technical solution to indirect prompt injection. The problem is rooted in the fact that large language models cannot reliably distinguish between instructions from a trusted user and instructions embedded in untrusted content. Every mitigation deployed so far is a heuristic, a guardrail, a best-effort filter. They reduce risk. They don’t eliminate it. Anthropic’s own research team has acknowledged this in published papers, describing prompt injection as an “unsolved problem” in the current generation of language models.
The MCP protocol itself is under active development, and Anthropic has signaled that future versions will include more granular permission models, user confirmation requirements for sensitive operations, and improved isolation between the model’s reasoning and external content. These are meaningful steps. But they also represent a tacit admission that the original design didn’t account sufficiently for adversarial inputs flowing through the content pipeline.
What makes the Claude vulnerability particularly instructive is its simplicity. The exploit didn’t require sophisticated reverse engineering or novel cryptographic attacks. It required understanding how Claude processes text and crafting that text to trigger specific tool calls. The barrier to entry for this kind of attack is low — far lower than traditional software exploitation. Any competent red team operator could develop similar payloads once the technique is understood. And now it’s understood.
The AI industry is moving aggressively toward agentic systems — AI models that don’t just answer questions but take actions, make decisions, and operate semi-autonomously across digital environments. Every major lab is building in this direction. OpenAI’s Operator, Google’s Project Mariner, Anthropic’s own computer use capabilities. The commercial incentives are enormous. But each new capability granted to an AI agent is also a new capability that can be hijacked through prompt injection or similar manipulation techniques.
This tension — between utility and security — will define the next phase of AI deployment in enterprises. The Claude MCP vulnerability is a preview of what happens when that tension isn’t resolved before shipping. Anthropic, to its credit, has been more transparent than most about the security challenges inherent in tool-using AI systems, and its rapid response to this disclosure reflects a mature security posture. But transparency about the problem doesn’t make the problem go away.
For CISOs and security architects evaluating AI tool integration, the lesson is blunt: treat every AI agent with tool access as you would treat a junior employee with admin credentials. Monitor what it does. Limit what it can do. Assume it can be manipulated. And build your defenses around that assumption, not around the hope that the model will always follow instructions correctly.
The zero-click era of AI exploitation has arrived. The only question now is how fast defenses can keep up.


WebProNews is an iEntry Publication