The AI-powered developer tool Cursor was found to have a critical vulnerability (CVE-2025-54136, dubbed MCPoison), allowing attackers to permanently inject malicious code into development projects via its Model Context Protocol (MCP) system. Once a seemingly harmless MCP configuration is approved by a developer, attackers can later replace it with malicious commands. The modified code executes automatically every time the project is opened, without further warnings or approvals, creating a persistent backdoor. This flaw enables unauthorized access to sensitive data (e.g., credentials, internal documents) stored locally by developers, intellectual property theft through source code manipulation, and compromise of collaborative environments especially in startups and research teams where Cursor is widely used. The vulnerability exploits blind trust in AI-driven automation, turning convenience into a long-term security risk. While a patch was released on July 30, 2025, the exposure period left organizations vulnerable to stealthy, continuous attacks with potential for large-scale data breaches or supply-chain compromises if exploited in shared repositories.
TPRM report: https://www.rankiteo.com/company/anysphereinc
"id": "any5853058110525",
"linkid": "anysphereinc",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': ['Developers',
'Startups',
'Research Teams'],
'industry': 'Software Development (AI-Powered Tools)',
'name': 'Cursor',
'type': 'Private Company'}],
'attack_vector': ['Compromised Software Dependency',
'Manipulated Configuration Files (MCP)',
'Social Engineering (Trusted Repository Abuse)'],
'customer_advisories': ['Users instructed to apply the July 30, 2025 security '
'update.',
'Warning against approving untrusted MCP '
'configurations.',
'Guidance provided on securing development '
'environments.'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['MCP Configuration Files',
'Project Source Files'],
'personally_identifiable_information': ['Developer Identities '
'(via Credentials)'],
'sensitivity_of_data': ['High (Intellectual Property)',
'High (Access Credentials)'],
'type_of_data_compromised': ['Source Code',
'Developer Credentials',
'Internal Documentation']},
'date_detected': '2025-07-16',
'date_publicly_disclosed': '2025-07-30',
'date_resolved': '2025-07-30',
'description': 'Security researchers from Check Point discovered a critical '
"vulnerability (CVE-2025-54136, dubbed 'MCPoison') in the "
'AI-based developer tool Cursor. The flaw allows attackers to '
'permanently inject malicious code into development projects '
'via the Model Context Protocol (MCP) configuration without '
'user detection or re-prompting. Once an MCP configuration is '
'approved, it remains active even if later manipulated, '
'enabling silent, persistent remote code execution each time '
'the project is opened. This poses risks such as backdoor '
'access, data theft, intellectual property loss, and erosion '
'of trust in AI tools. The vulnerability was patched in a '
'security update released on July 30, 2025.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in AI Tools',
"Negative Perception of Cursor's "
'Security Practices'],
'data_compromised': ['Source Code',
'Local Developer Credentials',
'Internal Documentation',
'Access Tokens'],
'identity_theft_risk': ['Developer Credentials', 'API Keys'],
'operational_impact': ['Disruption of Development Workflows',
'Loss of Developer Productivity',
'Incident Response Overhead'],
'systems_affected': ['Cursor IDE (AI-Powered Developer Tool)',
'Projects Using MCP Configurations']},
'initial_access_broker': {'backdoors_established': ['Persistent Remote Code '
'Execution via MCP'],
'entry_point': ['Compromised MCP Configuration in '
'Shared Repository'],
'high_value_targets': ['Source Code',
'Developer Credentials',
'Internal Documentation']},
'investigation_status': 'Resolved (Patch Released)',
'lessons_learned': ['AI-powered tools introduce new attack surfaces by '
'automating trust in workflows.',
'Permanent approval mechanisms for configurations can be '
'exploited for persistent access.',
'Collaborative environments amplify risks when malicious '
'changes go unnoticed.',
'Blind trust in automation undermines security, '
'especially in shared repositories.'],
'motivation': ['Espionage',
'Intellectual Property Theft',
'Persistent Access',
'Data Exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Implemented re-validation '
'prompts for modified MCP '
'configurations.',
'Enhanced logging for MCP '
'execution events.',
'Added warnings for '
'high-risk MCP operations.',
'Published security best '
'practices for Cursor '
'users.'],
'root_causes': ['Overly permissive trust model for '
'MCP configurations.',
'Lack of re-validation for '
'approved configurations after '
'modification.',
'Insufficient developer awareness '
'of MCP risks.',
'Automated workflows bypassing '
'manual security checks.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Treat MCP files with the same rigor as source code '
'(version control, audits).',
'Avoid approving MCP configurations without full '
'understanding of their functionality.',
'Restrict write access to repositories to authorized '
'personnel only.',
'Implement continuous monitoring for changes to MCP '
'configurations.',
'Educate developers on the risks of automated workflows '
'and social engineering tactics.',
'Adopt a zero-trust approach to third-party integrations '
'in development tools.'],
'references': [{'source': 'Check Point Research (CPR) Blog',
'url': 'https://research.checkpoint.com/2025/cursor-ide-persistent-code-execution-via-mcp-trust-bypass/'},
{'source': 'Technical Details & Demo Video',
'url': 'https://research.checkpoint.com/2025/cursor-mcpoison-demo/'}],
'response': {'communication_strategy': ['Public Disclosure via Blog Post',
'Technical Details and Demo Video',
'Recommendations for Mitigation'],
'containment_measures': ['Security Patch (July 30, 2025)',
'MCP Configuration Validation'],
'enhanced_monitoring': ['MCP Configuration Changes',
'Repository Activity'],
'incident_response_plan_activated': True,
'remediation_measures': ['Code Audits for MCP Files',
'Access Control Restrictions',
'Developer Awareness Training'],
'third_party_assistance': ['Check Point Research (CPR)']},
'stakeholder_advisories': ['Developers urged to update Cursor immediately.',
'Teams advised to audit MCP configurations in '
'existing projects.',
'Organizations recommended to review access '
'controls for shared repositories.'],
'title': 'MCPoison Vulnerability in Cursor AI-Based Developer Tool '
'(CVE-2025-54136)',
'type': ['Vulnerability Exploitation',
'Remote Code Execution (RCE)',
'Supply Chain Attack'],
'vulnerability_exploited': 'CVE-2025-54136 (MCPoison - MCP Trust Bypass)'}