Cursor AI has a high-severity security flaw, tracked as CVE-2025-54136 with a CVSS score of 7.2, that can lead to remote code execution. This vulnerability, named MCPoison, allows attackers to modify trusted Model Context Protocol (MCP) configurations, resulting in unauthorized command execution. The exploit involves adding a seemingly harmless MCP configuration, which can be later swapped for a malicious payload after approval. Once trusted, these configurations remain so indefinitely, increasing risks of data theft and supply chain attacks.
A vulnerability in Cursor AI allows an attacker to achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine.
Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt.
The fundamental problem here is that once a configuration is approved, it's trusted by Cursor indefinitely for future runs, even if it has been changed.
Successful exploitation of the vulnerability not only exposes organizations to supply chain risks, but also opens the door to data and intellectual property theft.
Collection
[
|
...
]