A newly identified MCPoison attack utilizes the Cursor IDE’s MCP validation process to run arbitrary commands within the system.

A critical vulnerability in Cursor IDE, an increasingly popular AI-powered development environment, allows for persistent remote code execution through the manipulation of the Model Context Protocol (MCP) system. This vulnerability, tracked as CVE-2025-54136 and referred to as “MCPoison,” exploits a flaw in trust validation that enables attackers to execute arbitrary commands on developer machines without triggering any security warnings. Cursor IDE has gained traction for its integration of traditional code editing with advanced large language model (LLM) capabilities. The platform’s appeal lies in its sophisticated automation features, particularly through MCP configurations that facilitate seamless execution of development workflows involving remote APIs, LLM-generated commands, and local system operations. The vulnerability arises from a fundamental flaw in Cursor’s trust validation model for MCP execution, where initial user approval is required, but subsequent modifications to approved configurations are automatically trusted without further validation or user consent.

The MCPoison attack follows a deceptively simple yet effective pattern. Attackers first commit a benign MCP configuration file (.cursor/rules/mcp.json) to a shared repository, containing harmless commands such as basic system utilities. When developers open the project in Cursor, they encounter a standard approval prompt and, perceiving the command as innocuous, approve the MCP configuration. The critical vulnerability becomes apparent after this initial approval, as Cursor binds trust solely to the MCP key name without verifying the underlying command or arguments. Consequently, attackers can later modify the same MCP entry to execute arbitrary system commands, including reverse shells, data exfiltration tools, or persistent backdoors. These modifications execute silently each time the developer reopens Cursor, creating a persistent attack vector. Check Point researchers have demonstrated the severity of this vulnerability by deploying a reverse shell payload that activates automatically whenever the victim launches the IDE, effectively transforming the trusted development environment into an automated attack platform.