MCPoison Attack Abuses Cursor IDE to Run Arbitrary System Commands

Cybersecurity researchers have uncovered a critical vulnerability in Cursor IDE that allows attackers to execute arbitrary system commands through a sophisticated trust bypass mechanism, potentially compromising developer workstations across collaborative coding environments.

Check Point Research disclosed the vulnerability, designated CVE-2025-54136 and dubbed “MCPoison,” which exploits Cursor IDE’s Model Context Protocol (MCP) trust system to achieve persistent remote code execution.

The attack leverages the IDE’s automatic processing of workspace configuration files to establish long-term unauthorized access to developer machines.

The vulnerability centers on Cursor’s handling of MCP configuration files stored in the .cursor/rules/mcp.json directory.

These files define project-specific tooling and automation workflows that execute locally when projects are opened.

While Cursor implements a one-time approval system for new MCP configurations, researchers discovered that subsequent modifications to approved configurations bypass security validation entirely.

Attack Methodology and Real-World Impact

The MCPoison attack follows a deceptively simple three-stage process that exploits collaborative development workflows. Initially, attackers commit benign MCP configuration files containing harmless commands like basic echo statements to shared repositories.

When victims open the project in Cursor, they encounter an approval prompt for the seemingly innocuous configuration and grant permission.

Once approval is obtained, attackers can modify the same MCP entry to execute malicious payloads, including reverse shells and arbitrary system commands.

These modifications execute silently without triggering new approval prompts, as Cursor’s trust system binds approval to the MCP name rather than validating configuration contents.

The attack’s persistence mechanism ensures that malicious commands execute automatically each time victims open Cursor or sync repository changes.

This creates a reliable backdoor that operates without user interaction beyond the initial approval, making it particularly dangerous in team environments where developers regularly synchronize shared codebases.

The vulnerability poses significant risks to development teams and organizations relying on Cursor for AI-assisted coding workflows.

Attackers with write access to shared repositories can establish persistent remote access, execute arbitrary commands within user contexts, and potentially escalate privileges on developer machines containing cloud credentials or sensitive source code.

The attack surface extends beyond individual workstations to entire development infrastructures, as compromised developer machines often serve as stepping stones for broader network penetration.

The silent nature of post-approval command execution makes detection challenging, potentially allowing persistent access for extended periods.

Check Point Research responsibly disclosed the vulnerability to Cursor’s development team on July 16, 2025.

The company released version 1.3 on July 29, 2025, which addresses the security flaw by requiring mandatory approval prompts for any MCP configuration changes, including minor modifications.

Independent testing confirms that the updated version effectively mitigates the vulnerability by validating configuration integrity rather than relying solely on name-based trust.

Security experts strongly recommend immediate updates to the latest Cursor version to prevent exploitation of this vulnerability in development environments.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!