A vulnerability that researchers call CurXecute is present in almost all versions of the AI-powered code editor Cursor, and can be exploited to execute remote code with developer privileges.
The security issue is now identified as CVE-2025-54135 and can be leveraged by feeding the AI agent a malicious prompt to trigger attacker-control commands.
The Cursor integrated development environment (IDE) relies on AI agents to help developers code faster and more efficiently, allowing them to connect with external resources and systems using the Model Context Protocol (MCP).
According to the researchers, a hacker successfully exploiting the CurXecute vulnerability could open the door to ransomware and data theft incidents.
Prompt-injection attack
CurXecute is similar to the EchoLeak vulnerability in Microsoft 365 CoPilot that could be used to steal sensitive data without any user interaction.
After discovering and understanding EchoLeak, the researchers at Aim Security, an AI cybersecurity company, learned that even local AI agent could be influenced by an external factor for malicious actions.
Cursor IDE has support for the MCP open-standard framework, which extends an agent’s capabilities and context by allowing it to connect to external data sources and tools.
“MCP turns a local agent into a Swiss‑army knife by letting it spin up arbitrary servers - Slack, GitHub, databases - and call their tools from natural language” - Aim Security
However, the researchers warn that this can compromise the agent as it is exposed to external, untrusted data that can affect its control flow.
... continue reading