Now in early access, book a 30-minute demo →
Top riskmedium

Local Network Exposure

AI tooling opens listening services on developer machines - local MCP servers, inference gateways, agent daemons, debug endpoints - often unauthenticated. Attackers reach them through the browser, SSRF, and internet-wide scanning.

Attackerweb page or network scan Malicious web pagetargets localhost Network scaninternet-wide probes Local listenermcp / gateway port Secrets + agentkeys, tool authority Endpoint Sensorinventory + flag lures victim probes hosts hits localhost reaches open port unauth access flags exposure
An attacker reaches a listening local service - through a malicious web page in the browser or a direct network scan - and pivots to the agent's authority and secrets.

Agentic tooling turns quiet developer laptops into hosts full of listening services: a local MCP server exposes an HTTP or SSE port for an IDE, an inference gateway proxies model calls, an agent daemon accepts control connections, a debug endpoint stays open after testing. Each is a network service, and most are stood up assuming only the developer can reach them. That assumption is the vulnerability.

These listeners multiply faster than anyone tracks them, frequently bind without authentication, and often front privileged capabilities: running tools, reading files, forwarding API calls with embedded credentials. Treating localhost as a security boundary is a mistake attackers have automated against.

How the attack works

There are two reliable ways to reach a listener assumed to be private. The first is the browser: a page the developer visits can issue requests to localhost from inside the victim's machine, and DNS rebinding lets a malicious site reach a service that never expected cross-origin traffic. The second is the network, because a service bound to a LAN interface, VPN address, or public IP is reachable by anyone who can route to it, and is found by continuous scanning. See browser AI security risks and controls.

Server-side request forgery ties these together. Many AI components fetch a caller-supplied URL or API base server-side, and an attacker who controls that value can pivot the component into requesting internal addresses like a metadata endpoint or admin service, using its own network position and credentials. Exposed LLM and agent infrastructure is now an active target class, with automated campaigns sweeping the address space for these ports, as in the LLM infrastructure mass-scanning and SSRF campaign.

Attack scenarios

Mitigations

  1. Inventory every listener the agent stack opens. You cannot firewall a port you do not know is open. Enumerate the MCP servers, gateways, and daemons on each endpoint and the ports they bind.
  2. Bind to loopback and authenticate anyway. Prefer localhost over routable interfaces, but still require a token, because loopback is reachable by the browser and by any local process.
  3. Constrain outbound fetches. For any component that retrieves a caller-supplied URL, deny requests to internal ranges and metadata addresses so an SSRF cannot pivot inward.
  4. Enforce at the tool-call boundary. When a listener exists to invoke tools, evaluate each call against policy before it runs, so a reached listener produces denied, logged attempts.
  5. Watch for drift. A debug port that opens after an update, or a service that binds to a new interface, is a change worth catching.

How Anomity helps

Anomity's lightweight, unprivileged Endpoint Sensor discovers the artifacts behind these listeners on every Windows, macOS, and Linux endpoint - the MCP servers, agents, and CLIs in the stack - and records each one's source, owner, version, and reach, so the software opening local ports becomes an inventory rather than a guess. It surfaces newly installed servers and configuration changes as change events, and on agents that expose a hook it evaluates each tool call and returns allow, deny, or log before it runs, containing a listener an attacker has reached. Violations route to SIEM, Slack, email, and Jira, and every event lands in a queryable 90-day audit trail that complements the EDR and network controls policing the ports.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok