Back door for hackers

Cursor: Critical security vulnerability discovered in AI coding tool

Schwachstelle, cursor schwachstelle, cursor sicherheitslücke, CVE-2025-54136, Cursor, Sicherheitslücke
Image source: Robert Way / Shutterstock.com
LinkedInRedditWhatsAppPocket

Deutsch This article is also available in German.

Security researchers from Check Point have discovered a serious vulnerability in the popular AI-based developer tool Cursor. The vulnerability allows attackers to permanently inject malicious code into development projects completely unnoticed.

Vulnerability discovered in the Cursor MCP system

The Check Point Research (CPR) team has identified an explosive security vulnerability in the coding tool Cursor. The vulnerability (CVE-2025-54136) was made public under the name MCPoison. The analysis shows: Attackers can permanently execute remote code on developer computers via the so-called MCP configuration within Cursor – without users being warned or asked again.

Ad

Cursor is based on the Model Context Protocol (MCP), which executes commands automatically and integrates AI-supported workflows into the development environment. However, this function in particular opens up dangerous gateways.

An approved MCP – an open door

When opening a project that contains an MCP configuration, an approval request first appears in Cursor. However, this is precisely where the weakness lies: once approved, the configuration remains permanently active – even if it has been manipulated in the background.

For example, an attacker can insert a harmless configuration into a repository and later replace it with malicious commands. Each time the victim opens Cursor, the modified command is executed automatically – without any further prompt or warning.

Ad

What is cursor and why is it affected?

Cursor is one of the fastest growing tools in the field of AI-powered software development. It combines classic code editing with powerful AI integration to help developers write, debug and analyze code.

The increasing use – especially in start-ups and research teams – has prompted CPR to take a closer look at the security structures of such tools. The focus was on the MCP system, which defines automatic workflows and integrates external scripts.

How the attack works in detail

An example of the process:

  1. An attacker inserts a trusted-looking MCP configuration into a shared repository.
  2. A team member opens the project and approves the configuration.
  3. The attacker changes the MCP code unnoticed into a malicious variant.
  4. Each time the project is opened again, the malicious code is automatically executed without prompting.

The attack remains silent, continuous and effective – a serious risk, especially in collaborative environments.

Potential consequences for companies

The vulnerability is not only technically questionable, but also has far-reaching consequences for organizations:

  • Permanent backdoor: The code can become active every time the project is opened – without notification or further approval.
  • Increased attack surface: Every team member with write access can potentially enable the attack.
  • Access to sensitive data: Developers often store access data or internal information locally, which can be compromised as a result.
  • Loss of intellectual property: Unnoticed reading or manipulation of source code can lead to massive damage.
  • Loss of trust in AI tools: Blind trust in automated workflows becomes a security risk.

“AI-powered developer tools are changing software development, but they are also creating new attack surfaces that seek to exploit developer trust,” warns Oded Vanunu, Chief Technologist & Head of Product Vulnerability Research at Check Point Software Technologies. “MCPoison shows how easily automation and convenience can be abused for stealthy, long-term exploitation in collaborative programming environments.”

What companies should do now

To protect against attacks via MCPoison, Check Point recommends the following measures:

  • Treat MCP files like source code: Introduce regular audits and version controls.
  • Avoid blind trust: Only approve what has really been understood – even in the case of seemingly harmless automation.
  • Control access rights: Only authorized users may change configurations in repositories.

Disclosure and response

Check Point informed the Cursor development team about the vulnerability on July 16, 2025. A security update followed on July 30, closing the gap.

Further information:

Here you can find the CPR blog “Cursor IDE: Persistent Code Execution via MCP Trust Bypass”.

You can see all the technical details and a demo video of the attack here.

(vp/heck Point Software Technologies Ltd.)


Ad

Weitere Artikel

Turkish arms sector in the sights of Dropping Elephant
Malware in popular cooking app RecipeLister
New variants of AsyncRAT discovered
16 billion login details: the data theft that nobody knew about