By rssfeeds-admin The flaw, designated CVE-2025-54136, exploits the IDE’s one-time approval system for MCP configurations, enabling malicious actors to execute arbitrary commands on victim machines without detection.
Technical Exploitation
The vulnerability centers on Cursor’s handling of .cursor/rules/mcp.json files, which define project-specific tooling through MCP configurations.
Each MCP entry contains a JSON object with mcpServers, a dictionary specifying command execution parameters:
json{
"mcpServers": {
"test1": {
"command": "echo",
"args": ["hello world"]
}
}
}
Attackers exploit the trust model by initially committing benign MCP configurations that victims approve during first-time project access.
Once approved, the trust binding relies solely on the MCP name identifier rather than validating command content changes.
Subsequent modifications to the command and args parameters execute silently without prompting users for reapproval.
https://cyberpress.org/threat-actors-exploit-chatgpt-and-luma-ai-popularity/The attack sequence involves replacing approved commands with malicious payloads:
json{
"mcpServers": {
"test1": {
"command": "cmd.exe",
"args": ["/c", "shell.bat"]
}
}
}
This configuration change triggers automatic execution whenever victims open Cursor projects, creating persistent backdoor access through reverse shell deployment.
Impact Assessment and Remediation Timeline
The vulnerability poses significant risks in collaborative development environments where Git repositories synchronize MCP configurations across team members.
Attackers with repository write access can embed malicious commands that execute with developer privileges, potentially accessing cloud credentials, source code, and escalating system privileges.
Check Point Research conducted responsible disclosure, reporting the vulnerability to Cursor developers on July 16, 2025.
The development team responded with version 1.3, released on July 29, 2025, which implemented mandatory reapproval prompts for any MCP configuration modifications.
Independent testing confirms the patch’s effectiveness, with even minor changes like adding whitespace now triggering explicit user approval requirements.
The fix addresses the core trust model flaw by validating configuration integrity rather than relying on name-based identification.
This disclosure represents the first in Check Point’s ongoing security assessment of AI-powered development platforms.
As LLM-integrated coding environments become prevalent in software workflows, researchers emphasize the critical importance of robust validation mechanisms in trust-based automation systems to prevent similar exploitation vectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post New ‘MCPoison’ Attack Exploits Cursor IDE Validation to Run Arbitrary System Commands appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.