Cursor fixes RCE vulnerability as developers' trust in AI coding tools plummets
"AI-powered tools are introducing attack surfaces we’ve never seen before. We’re entering a new era of security threats."
Last week, an annual survey of almost 50,000 developers revealed that trust in the accuracy of AI has plunged by more than 10%.
Now one of the world's fastest-growing AI-powered development environments has suffered a remote code execution vulnerability, raising questions about whether confidence could be set to plunge even further.
Check Point discovered an RCE vulnerability tracked as CVE-2025-54136 in Cursor, which accelerates software development via LLM-driven automation.
Although Cursor has now fixed the bug in an update, researchers said it could have enabled silent, persistent code execution through the platform's Model Context Protocol (MCP), which enables the Integrated Development Environment (IDE) to define and execute workflows involving APIs, LLM-generated commands or local command execution.
Oded Vanunu, Chief Technologist & Head of Product's Vulnerability Research at Check Point Software, said: "AI-powered developer tools are introducing attack surfaces we’ve never seen before. For years, we’ve focused on defending against traditional supply chain attacks, but now it’s clear we’re entering a new era of cybersecurity threats."
Silent, persistent and potentially very scary
Check Point alleged that its analysis found that the handling of configuration files could allow attackers to silently run malicious code on a user’s computer.
They claimed the automatic processing of files every time a project is opened and a one-time approval model for MCP means that future commands are trusted without further warning.
In a proof-of-concept attack, a benign command was initially approved by the user, then quietly replaced with a reverse shell.
Each time the project was reopened, the malicious command ran without notice, which could grant persistent remote access.
READ MORE: "It felt like Ultron took over": Cursor goes rogue in YOLO mode, deletes itself and everything else
"This effectively turns a trusted file into a persistent, auto-triggered backdoor," Check Point alleged.
A bug of this kind with write access to a shared repository could potentially achieve ongoing remote access by embedding a reverse shell into an MCP configuration and executing arbitrary local commands silently every time the victim opens their IDE.
Additionally, a similar vulnerability could let threat actors escalate privileges within the user context (which is "especially dangerous" on developer machines with cloud credentials or source code access) and "persist indefinitely" because the malicious MCP is re-executed every time a product is launched or a repository is synced.
"This vulnerability enables persistent, silent, and remote code execution in any Cursor-based development environment," researchers alleged. "Once an MCP is approved, the attacker can repeatedly inject malicious commands without user awareness."
Check Point disclosed the flaw to Cursor on July 16, 2025, and a fix was issued on July 30 as part of the 1.3.9. update.
We have contacted Cursor for comment.
Are developers losing trust in AI?
Last week, Stack Overflow's annual developer survey warned that "cracks in the foundation are showing as more developers use AI".
It wrote: "Trust but verify? Developers are frustrated, and this year’s results demonstrate that the future of code is about trust, not just tools. AI tool adoption continues to climb, with 80% of developers now using them in their workflows.
"Yet this widespread use has not translated into confidence. In fact, trust in the accuracy of AI has fallen from 40% in previous years to just 29% this year. We’ve also seen positive favorability in AI decrease from 72% to 60% year over year."
The "number-one frustration" cited by 45% of respondents is dealing with "AI solutions that are almost right, but not quite," which makes debugging more time-consuming.
Two-thirds (66%) of developers said they spent time fixing "almost-right" AI-generated code.
Stack Overflow added: "The adoption of AI agents is far from universal. We asked if the AI agent revolution was here, and the answer is a definitive 'not yet'. While 52% of developers say agents have affected how they complete their work, the primary benefit is personal productivity: 69% agree they've seen an increase.
"When asked about 'vibe coding'—generating entire applications from prompts—nearly 72% said it is not part of their professional work, and an additional 5% emphatically do not participate in vibe coding. This aligns with the fact that most developers (64%) do not see AI as a threat to their jobs, but they are less confident about that compared to last year (when 68% believed AI was not a threat to their job)."
Read a blog on the results of the survey here.
