A vulnerability that researchers call courxutes is present in almost all versions of the AI-Intelligent Code Editor Cursor, and can be exploited to execute distance codes with developer privileges.
The security issue is now identified as the CVE-2025-54135 and can be availed by feeding the AI agent a malicious signal to trigger the attacker-control command.
Cursor Integrated Development Environment (IDE) depends on the AI agents to help developers to code rapidly and more efficiently, allowing them to connect with external resources and systems using the model reference protocol (MCP).
According to the researchers, a hacker successfully exploits cursorous vulnerability that can open the door for ransomware and data theft incidents.
Quick injection attack
Curxecute Microsoft 365 Copilot is similar to ecolax vulnerability that can be used to steal sensitive data without any user interaction.
After the discovery and understanding of Ecolak, researchers from AI Cyber Security Company, AIM Security learned that even local AI agents could be influenced by an external factor for malicious tasks.
Cursor IDE has support for MCP Open-Standard Framework, which expands the abilities and reference of an agent by allowing to connect to external data sources and equipment.
“MCP converts a local agent into a Swiss Ing Army knife, allowing him to call the arbitrary server – slack, database, database – and call them. tool From natural language ” – Objective security
However, researchers have warned that it can compromise the agent as it is exposed to external, incredible data that can affect its control flow.
A hacker can take advantage of the user to kidnap the sessions and privileges of agents to work on behalf of the user.
Using externally hosted quick injections, an attacker can re -write ~/.cursor/mcp.json To enable files in the project directory to enable remote performance of arbitrary command.
Researchers say that Karsar does not require confirmation to execute new entries ~/.cursor/mcp.json File and suggested that editing is live and trigger the execution of the command, even if the user rejects them.
In a report shared with bleepingcomputer, AIM Security says that the cursor can expose a standard MCP server, such as slack, adding, to the agent for untrudeted data.
An attacker can post a public channel a malicious signal with an injection payload Mcp.json Configuration file.
When the victim opens the new chat and instructs the agent to summarize the messages, the payload, which may be a shell, immediately land on the disk without the user’s approval.
“The surface of the attack is Any Third – innings MCP server that processes external material: trackers, customer aid inbox, even releasing search engines. A single poison document can convert an AI agent into a local shell ” – Objective security
Researchers created a video to display how Curxecute can be taken advantage of in attacks:
AIM Safety Researchers say that a courcut attack may lead to incidence of ransomware and data theft, or even AI manipulation through hallucinations that can ruin the project, or enable slopsquatting attacks.
The researchers on July 7 reported a cursor to Karsar and the next day the seller merged a patch in the main branch.
On 29 July, the cursor version 1.3 was released with several reforms and a fix for Karxycute. Cursor also published Security advisor For CVE-2025-54135, which received a medium-seriousness score of 8.6.
Users are recommended to download and install the latest version of the cursor to avoid known security risks.
Malware targeting password stores increased 3x as the attackers secretly carried out the perfect history landscape, infiltrated and exploited important systems.
Search for the top 10 Metter Att & CK techniques behind the 93% attacks and how to defend them.
