The flaw, designated CVE-2025-54136, exploits the IDE’s one-time approval system for MCP configurations, enabling malicious actors to execute arbitrary commands on victim machines without detection.
The vulnerability centers on Cursor’s handling of .cursor/rules/mcp.json files, which define project-specific tooling through MCP configurations.
Each MCP entry contains a JSON object with mcpServers, a dictionary specifying command execution parameters:
json{
"mcpServers": {
"test1": {
"command": "echo",
"args": ["hello world"]
}
}
}
Attackers exploit the trust model by initially committing benign MCP configurations that victims approve during first-time project access.
Once approved, the trust binding relies solely on the MCP name identifier rather than validating command content changes.
Subsequent modifications to the command and args parameters execute silently without prompting users for reapproval.
https://cyberpress.org/threat-actors-exploit-chatgpt-and-luma-ai-popularity/The attack sequence involves replacing approved commands with malicious payloads:
json{
"mcpServers": {
"test1": {
"command": "cmd.exe",
"args": ["/c", "shell.bat"]
}
}
}
This configuration change triggers automatic execution whenever victims open Cursor projects, creating persistent backdoor access through reverse shell deployment.
The vulnerability poses significant risks in collaborative development environments where Git repositories synchronize MCP configurations across team members.
Attackers with repository write access can embed malicious commands that execute with developer privileges, potentially accessing cloud credentials, source code, and escalating system privileges.
Check Point Research conducted responsible disclosure, reporting the vulnerability to Cursor developers on July 16, 2025.
The development team responded with version 1.3, released on July 29, 2025, which implemented mandatory reapproval prompts for any MCP configuration modifications.
Independent testing confirms the patch’s effectiveness, with even minor changes like adding whitespace now triggering explicit user approval requirements.
The fix addresses the core trust model flaw by validating configuration integrity rather than relying on name-based identification.
This disclosure represents the first in Check Point’s ongoing security assessment of AI-powered development platforms.
As LLM-integrated coding environments become prevalent in software workflows, researchers emphasize the critical importance of robust validation mechanisms in trust-based automation systems to prevent similar exploitation vectors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post New ‘MCPoison’ Attack Exploits Cursor IDE Validation to Run Arbitrary System Commands appeared first on Cyber Security News.
Hi, Swifties. We don’t tend to have a lot in the way of Taylor Swift…
Cybersecurity giant Trellix has disclosed a significant security incident involving unauthorized access to a portion…
A sophisticated adversarial campaign targeting South-East Asian government and military infrastructure, combining rapid exploitation of…
Cynthia Whitaker sat alone on a bench at center stage, her face bathed in a…
Brilliant Minds and Stumble have both been canceled at NBC. Entertainment Weekly reported that the…
We noted this last month, but we really mean it in May: Things are starting…
This website uses cookies.