Zero-Click Remote Code Execution: Exploiting MCP & Agentic IDEs

A recent study highlights a zero-click remote code execution exploit that leverages agentic Integrated Development Environments (IDEs) such as Cursor, demonstrating how attackers can use common AI coding assistants to execute malicious instructions without user interaction. The attack exploits the Model Context Protocol (MCP) and integrations like Google Docs, allowing attackers to silently share documents with victims, which the AI assistant then processes and executes, leading to credential theft and persistent system access. This vulnerability arises not from a patchable bug but from the inherent functionality of agentic workflows and MCPs, turning them into potential entry points for large-scale organizational attacks. The research emphasizes the need for layered defenses, including robust guardrails, cautious allow lists, and hardened configurations, to prevent such exploitations and secure AI-driven environments.