New MCPoison Attack Leverages Cursor IDE MCP Validation to Execute Arbitrary System Commands

A critical vulnerability in Cursor IDE, the rapidly growing AI-powered development environment, enables persistent remote code execution through manipulation of the Model Context Protocol (MCP) system.

The vulnerability, tracked as CVE-2025-54136 and dubbed “MCPoison,” exploits a trust validation flaw that allows attackers to execute arbitrary commands on developer machines without triggering security warnings.

Cursor IDE has emerged as one of the most popular AI-assisted development platforms, combining traditional code editing with deep large language model (LLM) integrations.

The platform’s appeal lies in its sophisticated automation capabilities, particularly through MCP configurations that enable seamless execution of development workflows involving remote APIs, LLM-generated commands, and local system operations.

The vulnerability stems from a fundamental flaw in Cursor’s trust validation model for MCP execution.

Researchers discovered that while Cursor requires initial user approval for MCP configurations, any subsequent modifications to approved configurations are automatically trusted without additional validation or user consent.

This creates a dangerous attack vector where a single approval can be exploited for persistent, silent code execution.

MCPoison Attack Bypasses

The MCPoison attack follows a deceptively simple but highly effective pattern. Attackers first commit a benign MCP configuration file (.cursor/rules/mcp.json) to a shared repository containing harmless commands such as basic system utilities.

When developers open the project in Cursor, they encounter a standard approval prompt and, seeing the innocuous command, approve the MCP configuration.

The critical vulnerability emerges after this initial approval. Cursor binds trust exclusively to the MCP key name rather than verifying the underlying command or arguments.

This means attackers can later modify the same MCP entry to execute arbitrary system commands, including reverse shells, data exfiltration tools, or persistent backdoors. These modifications execute silently every time the developer reopens Cursor, creating a persistent attack vector.

Check Point researchers demonstrated the vulnerability’s severity by deploying a reverse shell payload that activates automatically whenever the victim launches the IDE.

The payload remains persistent across repository synchronizations and project reopenings, effectively turning the trusted development environment into an automated attack platform.

Cursor’s MCP system stores project-specific configurations in .cursor/rules/mcp.json files, with each entry defining an MCP name, command, and optional arguments. The platform automatically scans the .cursor/ directory upon project launch and processes any MCP-related configurations discovered.

The trust mechanism operates through a one-time approval model where users are prompted to authorize MCP configurations on first encounter.

However, the system fails to implement change detection for approved configurations, allowing attackers to substitute malicious commands while preserving the original MCP name that received approval.

This architectural flaw enables sophisticated supply chain attacks in collaborative development environments. A malicious actor with repository write access can establish a foothold through an initially harmless MCP configuration, then escalate privileges through silent command substitution without requiring additional user interaction.

Check Point Research responsibly disclosed the vulnerability to Cursor’s development team on July 16, 2025. The company responded promptly, issuing version 1.3 on July 29, 2025, which addresses the core vulnerability by implementing mandatory approval prompts for any modifications to MCP configurations.

The fix ensures that even minor changes, such as adding a single space character, trigger new authorization requirements.

While Cursor’s release notes did not explicitly mention the security patch, independent testing by Check Point researchers confirmed the vulnerability’s remediation

Users must now explicitly approve or reject any modified MCP configuration before execution, closing the trust bypass that enabled the MCPoison attack.

The disclosure represents the first in a planned series of vulnerability assessments targeting AI development platforms. As AI-assisted coding tools become increasingly integrated into software development workflows, security researchers are identifying novel attack vectors that exploit the intersection of artificial intelligence, automation, and traditional software security boundaries.

Security experts note that the MCPoison attack demonstrates how AI systems’ reliance on automation and trust-based workflows can be weaponized against the very users they’re designed to assist.

Organizations using Cursor IDE should immediately update to version 1.3 or later to protect against MCPoison exploitation.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches