Cursor Vulnerability: AI Code Assistant Supply-Chain Flaw Exposes Credentials
Executive Summary
In early 2024, security researchers uncovered a significant supply-chain vulnerability affecting Cursor, an AI-powered coding assistant, enabling attackers to hijack Cursor's internal application browser via a malicious MCP (Model Control Protocol) server. Exploiting this weakness, threat actors could inject malicious code through the compromised server, control the tool’s browser processes, and steal sensitive user credentials, potentially jeopardizing developer environments and broader organizational security. The vulnerability allows attackers to manipulate trusted workspace sessions, escalating the risk of lateral movement within corporate infrastructure.
This incident highlights the increasing risks associated with AI-driven developer tools and the broader supply chain, reflecting a growing attacker focus on abusing trust relationships within cloud-native and collaborative software platforms. Organizations must revisit supply-chain security and adopt robust detection and response strategies for AI-enabled environments.
Why This Matters Now
As AI-powered development tools become essential in coding workflows, the discovery of this Cursor vulnerability underscores how trusted software can become a gateway for sophisticated credential theft and supply-chain attacks. The urgency is heightened by the expanding attack surface of AI-integrated environments, making rapid response and updated security practices crucial for preventing downstream compromise.
Attack Path Analysis
The attacker gained initial access via exploitation of a vulnerability in the AI-powered coding tool's internal browser, using a malicious MCP server as a supply chain vector. Following compromise, they escalated privilege by leveraging session tokens or process-level access within the application's context. Lateral movement occurred through east-west traffic, potentially compromising adjacent cloud workloads or internal browser sessions. Command & Control was likely maintained over encrypted or unmonitored outbound channels, enabling persistent attacker communication. Sensitive credentials and data were next exfiltrated through unfiltered egress or browser channels. The impact included potential credential theft for further access or downstream compromise across the supply chain.
Kill Chain Progression
Initial Compromise
Description
Attacker exploited a browser vulnerability tied to a malicious MCP server, gaining access to the AI-powered coding tool via a supply chain vector.
Related CVEs
CVE-2025-54135
CVSS 8.6A prompt injection vulnerability in Cursor's MCP auto-start functionality allows remote code execution without user interaction.
Affected Products:
Anysphere Cursor – < 1.3
Exploit Status:
exploited in the wildCVE-2025-54136
CVSS 7.2An indirect prompt injection vulnerability in Cursor allows modification of MCP files, leading to arbitrary code execution.
Affected Products:
Anysphere Cursor – < 1.3
Exploit Status:
proof of conceptCVE-2025-61593
CVSS 8.8A vulnerability in Cursor's CLI Agent allows attackers to modify sensitive files through prompt injection, leading to remote code execution.
Affected Products:
Anysphere Cursor – <= 1.7
Exploit Status:
proof of conceptCVE-2025-54133
CVSS 7.3A UI information disclosure vulnerability in Cursor's MCP deeplink handler allows attackers to execute arbitrary system commands through social engineering.
Affected Products:
Anysphere Cursor – 1.17 - 1.2
Exploit Status:
proof of conceptCVE-2025-61591
CVSS 8.8When MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during the interaction process, leading to command injection and potential remote code execution.
Affected Products:
Anysphere Cursor – <= 1.7
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Supply Chain Compromise
Valid Accounts
Credentials from Password Stores
Command and Scripting Interpreter
User Execution
Modify Authentication Process
Phishing
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Art. 6
CISA ZTMM 2.0 – Multi-Factor Authentication and Credential Protection
Control ID: Identity Pillar: Control 2.2
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI-powered coding tools like Cursor create supply-chain vulnerabilities enabling credential theft through malicious MCP servers, compromising development environments and intellectual property.
Information Technology/IT
IT organizations face elevated supply-chain risks from compromised AI development tools, requiring enhanced zero trust segmentation and threat detection capabilities.
Financial Services
Financial institutions using AI coding tools risk credential theft and data exfiltration, violating PCI compliance and exposing sensitive financial data.
Health Care / Life Sciences
Healthcare organizations utilizing AI development tools face HIPAA compliance violations and patient data exposure through supply-chain credential stealing attacks.
Sources
- Cursor Issue Paves Way for Credential-Stealing Attackshttps://www.darkreading.com/vulnerabilities-threats/cursor-issue-credential-stealing-attacksVerified
- Vulnerabilities in Cursor AI Could Be Exploited for Arbitrary Code Execution – HackMaghttps://hackmag.com/news/cursor-ai-bugsVerified
- NVD - CVE-2025-54135https://nvd.nist.gov/vuln/detail/CVE-2025-54135Verified
- Technical Advisory: Multiple Vulnerabilities in Cursor AI Code Editorhttps://www.geordie.ai/resources/technical-advisory-multiple-vulnerabilities-in-cursor-ai-code-editorVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west traffic controls, egress enforcement, and real-time threat detection would have limited attacker movement, restricted compromise propagation, and alerted on unauthorized data exfiltration. CNSF controls reduce the potential blast radius of such supply chain attacks and provide deep visibility across multi-cloud workloads.
Control: Zero Trust Segmentation
Mitigation: Granular segmentation reduces the attack surface exposed to supply chain exploit vectors.
Control: Kubernetes Security (AKF)
Mitigation: Pod- and namespace-level controls contain privilege escalation to within the affected application segment.
Control: East-West Traffic Security
Mitigation: East-west controls block unauthorized lateral movement between workloads and regions.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalies or unauthorized C2 traffic are detected and alerted in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Egress controls prevent unauthorized data exports and suspicious outbound connections.
Autonomous inline controls minimize attack blast radius and accelerate detection/containment.
Impact at a Glance
Affected Business Functions
- Software Development
- Code Review
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of source code, intellectual property, and developer credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Apply Zero Trust Segmentation to all workloads, strictly limiting east-west communication and external exposure.
- • Enforce egress controls and FQDN filtering to prevent unauthorized data exfiltration or command and control activity.
- • Enable real-time threat detection and anomaly response to spot unusual outbound or lateral traffic tied to supply chain components.
- • Implement Kubernetes and pod-level security controls to contain any escalation or movement originating from compromised app containers.
- • Regularly audit and refine distributed CNSF policies to adapt to evolving supply chain and cloud-native attack vectors.
