AIDE-004 Initial Access Persistence Coverage C ATT&CK Aligned Persistence Execution

MCP Server Configuration Tampering

AIDE-004 | ATT&CK: T1546

Description

Adversary Behavior: An adversary modifies the Model Context Protocol (MCP) configuration consumed by an LLM-integrated IDE to register malicious tool servers or alter existing server definitions.

AI/IDE Mechanism: MCP defines how the IDE discovers and invokes external tools (file operations, database queries, API calls, shell commands) on behalf of the LLM agent. The IDE's tool approval system trusts the MCP configuration state, meaning changes to tool definitions take effect without triggering re-authorization prompts for previously approved tool names.

Execution Path: The adversary tampers with MCP configuration files to introduce new tool endpoints that execute arbitrary commands, modify existing tool definitions to redirect operations to adversary-controlled servers, or alter approval policies so that previously authorized tools now execute different code. Configuration changes can be introduced through repository commits, shared configuration files, or supply chain compromise of MCP server packages.

Security Impact: The adversary achieves persistent arbitrary execution through the IDE's tool invocation system, exploiting the trust relationship between the IDE's approval mechanism and the MCP configuration state. All subsequent tool invocations by the agent may be intercepted, redirected, or augmented with malicious behavior.

Platforms

Windows macOS Linux

Detection

Monitor MCP configuration files for unauthorized modifications. Track the set of registered MCP tool servers and alert on new registrations. Log all tool invocations with their originating context. Validate that tool server endpoints resolve to expected destinations.

Detecting Data Components (6)

Configuration File Modification

Events capturing modifications to AI-relevant configuration files within the IDE and project workspace.

Server Registration

Events capturing the registration or discovery of MCP tool servers by the IDE.

Configuration File Creation

Events capturing creation of new AI-relevant configuration files, particularly when created by LLM agents.

Tool Call Request

Events capturing an agent's request to invoke a specific tool, including tool name, arguments, and triggering context.

Tool Authorization Event

Events capturing authorization decisions for agent tool invocations, including approvals, rejections, and auto-approvals.

Tool Discovery

Events capturing the IDE's discovery of available tools from registered MCP servers.

Mitigations (2)

MCP Server Allowlisting and Verification

Maintain an approved inventory of MCP tool servers. Require signature verification for server registration. Validate that registered endpoints match approved providers. Alert on new server registrations from project-level configuration.

AI Configuration File Integrity Monitoring

Implement file integrity monitoring and diff analysis for AI configuration files (.cursorrules, .github/copilot-instructions, MCP configs). Flag non-obvious instruction content and enforce review requirements for AI configuration changes in repositories.

Data Sources

File → File Modification

File → File Creation

Network Traffic → Network Connection Creation

Process → Process Creation

References

mitre-attack

Maps to Event Triggered Execution (persistence) and T1059 Command and Scripting Interpreter (execution). Coverage Level C — needs MCP-specific detection guidance.

https://attack.mitre.org/techniques/T1546

MCPoison CVE-2025-54136

Cursor IDE MCP Vulnerability — exploitation of MCP approval system

https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/

CurXecute CVE-2025-54135

Chained indirect prompt injection to write malicious MCP configuration and trigger code execution (CVSS 8.5)

CurXecute — CVE-2025-54135 (Aim Security, Jul 2025)

Chained indirect prompt injection wrote malicious MCP configuration and triggered RCE in Cursor IDE. CVSS 8.5.

https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/

MCP History Theft (Trail of Bits, Apr 2025)

Malicious MCP servers demonstrated ability to steal full conversation history from MCP-based coding agents.

https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/

MCP Safety Audit

Demonstrates MCP-enabled MCE, RAC, and Credential Theft attacks against Claude 3.7 and Llama-3.3-70B; introduces RADE multi-MCP-server attack via poisoned vector database; MCPSafetyScanner for automated vulnerability detection (Radosevich & Halloran, arXiv:2504.03767, 2025)

https://arxiv.org/abs/2504.03767

IDEsaster CVEs

30+ CVEs across Cursor, Copilot, Windsurf, Claude Code, Zed.dev; auto-approved tool calls enable silent exploitation (Marzouk, 2025-2026)

https://byteiota.com/idesaster-30-cves-hit-cursor-github-copilot-all-ai-ides/

Vulnerable MCP Project

50 MCP vulnerabilities tracked (13 Critical); CVE-2026-23744 CVSS 9.8, CVE-2025-68145 RCE chain (vulnerablemcp.info, 2025-2026)

https://vulnerablemcp.info/

MalTool

1,200 standalone malicious tools + 5,287 real-world tools with embedded malicious behaviors; VirusTotal detection fails (arXiv:2602.12194, Feb 2026)

https://arxiv.org/abs/2602.12194

Parasitic Toolchain Attacks

12,230 MCP tools across 1,360 servers analyzed — ecosystem 'rife with exploitable gadgets'; new parasitic attack class (arXiv:2509.06572, 2025)

https://arxiv.org/abs/2509.06572

MCPLIB

31 distinct MCP attack methods across 4 classifications: direct/indirect tool injection, malicious user, LLM inherent (arXiv:2508.12538, 2025)

https://arxiv.org/abs/2508.12538

STIX Metadata

type	attack-pattern
id	attack-pattern--4b958db0-221a-48b1-850d-3dbf28ca4830
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	mapped