#United States #San Francisco #Check Point #Cursor #RCE Vulnerability

Introduction

In a recent announcement, Check Point Research, a leader in cybersecurity solutions, has brought to light a grave flaw in the rapidly growing AI coding tool known as Cursor. This vulnerability allows for sustained remote code execution (RCE), posing serious security risks to developers and their projects.

Key Insights

Check Point Research has discovered a significant RCE vulnerability in Cursor, a popular AI-powered integrated development environment (IDE) trusted by developers worldwide. This vulnerability could potentially lead to long-term silent access to a developer's working environment without requiring any additional user prompts. For instance, an attacker can alter previously approved Model Context Protocol (MCP) settings within Cursor, leading to the execution of malicious code every time a project is opened.

Vulnerability Explored

The vulnerability in Cursor highlights a critical weakness in the trust model of AI-assisted development environments. With the rising incorporation of large language models (LLMs) and automation into team workflows, this flaw has introduced a substantial risk for teams that rely on these technologies.

Cursor integrates local code editing with powerful LLMs, enhancing productivity for coding, debugging, and analysis tasks. However, this deep integration raises alarms concerning the reliance on automated workflows, especially if that trust can be exploited maliciously.

Check Point Research has begun evaluating the security models of these tools, focusing on the verification of safety in collaborative environments where code, configuration files, and AI-based plugins are frequently shared among team members.

Details of the Vulnerability

The MCP system utilized by Cursor facilitates developers by instructing the tool in automating specific tasks. When a user opens a project that includes MCP settings, Cursor displays a single approval prompt asking whether it should trust these settings. Unfortunately, once approved, no further checks are made by Cursor, allowing attackers working from within the same shared repository to:

• - Insert seemingly benign MCP settings into the project.
• - Await a moment when victims access and approve the code.
• - Silently alter the approved MCP settings to contain malicious payloads.
• - Execute the harmful code each time the victim opens the project in Cursor IDE without raising alerts or requiring additional prompts.

A Proof of Concept

To demonstrate how the attack unfolds, Check Point Research developed a proof of concept emulating a typical attack scenario in a shared project:

Step 1: Initial Setup

An attacker creates apparently harmless MCP settings that merely display a message. When the victim opens the project, they encounter the MCP approval prompt.

Step 2: Silent Switch

Once approved, the attacker discreetly changes the MCP settings to include malicious commands, such as opening a reverse shell or executing harmful system commands.

Step 3: Automated Execution

From this point on, every time the victim opens the project in Cursor IDE, the malicious commands execute automatically without alerts or prompts.

Step 4: Persistent Access

This method allows attackers to maintain ongoing secret access to the victim's machine, facilitating data theft, conducting further attacks, or lateral movement within the victim's environment.

Real-World Impact

This vulnerability is alarming given that many organizations rely on shared repositories for project collaboration. It grants attackers the ability to establish a long-term undetected foothold, highlighting its dangers:

• - Silent Persistence: Malicious code executes every time a project is opened without alerts, allowing attackers prolonged access indefinitely.
• - Broad Attack Surface: Any developer with write access to shared repositories can inject or modify trusted MCP settings, endangering entire teams or organizations.
• - Privilege Escalation Risks: Attackers could exploit local credentials and cloud access tokens stored on developer machines to further escalate their access within the corporate network.
• - Risk of Data and Code Leakage: Besides executing harmful actions, attackers can surreptitiously extract source code, intellectual property, and internal communications.
• - Trust Issues in AI Toolchains: The underlying assumption of ultimate security in AI tools like Cursor must be critically reassessed, as this vulnerability exemplifies the dangers of blind trust in automated workflows.

As organizations increasingly depend on Cursor and similar AI-powered IDEs, understanding and addressing this vulnerability is crucial for protecting their development environments and sensitive assets.

Disclosure of Vulnerability and Mitigation Strategies

After identifying the flaw, Check Point Research responsibly reported it to the Cursor development team on July 16, 2025. The Cursor team issued a patch on July 30, 2025. This vulnerability is part of a larger challenge facing modern development tools deeply integrated with AI, which automate tasks through natural language and LLM-connected plugins.

To mitigate this kind of vulnerability, Check Point recommends:

• - Treat MCP configuration files as potential attack vectors, ensuring rigorous review, auditing, and version control.
• - Do not blindly trust AI automation; make sure team members understand the functionality before approval, even if MCP and proposals appear harmless.
• - Limit write permissions in collaborative environments, especially in shared repositories, to maintain control over who can alter trusted settings.

Conclusion

The persistent RCE vulnerability found in Cursor IDE underscores significant security challenges for AI-powered developer tools. As organizations deepen their reliance on integrated AI workflows, ensuring robust and verifiable trust mechanisms becomes imperative. Developers, security teams, and organizations must remain vigilant, audit AI development environments, and collaborate closely with vendors to address emerging threats proactively. Only through proactive security measures can we safely leverage the power of AI in software development.

For more technical details regarding this vulnerability, please refer to Check Point Research's report.