Several vulnerabilities have been fixed in the popular AI code editor Cursor AI. The bugs allowed for the stealthy modification of configuration MCP files and the execution of arbitrary code without the user’s request or approval.
MCP (Model Context Protocol) is an open standard introduced by Anthropic in November 2024. It allows AI systems (including agents and large language models — LLMs) to connect to external data sources and interact with each other. While MCP indeed simplifies such processes, it also opens up entirely new possibilities for attacks. We recently dedicated a comprehensive article to these issues.
This week, analysts from Check Point reported an RCE vulnerability, CVE-2025-54136 (scored 7.2 on the CVSS scale), in the AI editor Cursor AI. The issue allowed the development environment to be stealthily “poisoned” without the user’s knowledge.
On July 29, 2025, Cursor developers released an updated version 1.3 addressing this bug and several other issues, but researchers warn about the risks of supply chain attacks.
Experts report that the issue allowed an attacker to stealthily alter a previously trusted MCP configuration in a shared GitHub repository or by editing a file locally on the victim’s computer (without requesting confirmation from the user). With the release of version 1.3, Cursor now requires approval every time the MCP server configuration changes.
“We decided to investigate whether the model accounts for trust and validation while executing MCP in Cursor, considering potential changes over time, especially in cases where a previously approved configuration is subsequently altered,” the researchers write. “In team development, such changes occur frequently, and any gaps in the validation system can lead to command injections, code execution, and persistent compromise.”
Researchers have demonstrated that it is possible to alter an already approved configuration of the MCP server in such a way that malicious code is executed every time a project is opened in Cursor.
The vulnerability has been named MCPoison, and the root of the problem lies in the one-time approval of configurations: after the initial confirmation, Cursor no longer requests validation for further changes.
Thus, an attacker can add a harmless command to the MCP configuration in a shared repository, then wait for someone to approve it and stealthily swap the content with malicious code. As a result, it will execute every time the victim opens the project.
Experts have demonstrated a proof-of-concept exploit where, after approval of a harmless command, it is replaced with a reverse shell, allowing the attacker to gain remote access to the system each time the project is launched.
The company emphasizes: this is just the first vulnerability in a series of issues found in AI tools targeted at developers.
“As AI tools and environments with integrated LLMs continue to change the approach to software development, we will continue to publish reports on other issues, highlighting the overlooked threats in this area. To enhance the security level of the entire ecosystem,” the experts conclude.
This week, experts from Aim Labs also reported issues in Cursor AI. The vulnerability they discovered has been assigned the identifier CVE-2025-54135 (with a CVSS score of 8.6) and dubbed CurXecute. The issue allowed remote attackers to exploit an indirect prompt injection vulnerability to modify MCP files and execute arbitrary code.
The vulnerability arose because Cursor did not require user confirmation when creating MCP files. Consequently, an attacker could use a prompt to create a dotfile (for example, .cursor/mcp.json) and trigger remote code execution.
In the security advisory, Cursor developers reported:
“If this vulnerability is combined with another prompt injection bug, it allows writing MCP files to the host. This can lead to direct code execution, which is injected as a new MCP server.”
According to analysts, the root of the problem was that proposed changes in mcp.json are immediately written to disk and executed before the user has a chance to reject or accept them. It is emphasized that any third-party MCP server that processes external content is susceptible to such attacks (including customer support tools, issue tracking systems, and search engines).
The third issue in the code editor was reported by researchers from BackSlash and HiddenLayer. This bug was also related to indirect prompt injections and concerned the Auto-Run mode, where commands are executed automatically without requesting permissions.
Although a user can set a list of commands that require confirmation, this protection could be bypassed by embedding a prompt directly into the comment block in the Readme file of a git repository. When a victim cloned such a repository, Cursor read the instructions and followed them — this allowed:
- extract confidential data;
- use legitimate tools for collecting and transmitting files;
- perform other malicious actions without notifying the user.
“We have discovered at least four methods that allowed us to bypass the denylist in Cursor and execute unauthorized commands through a compromised agent,” added BackSlash.
This issue was also fixed in version 1.3.
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →