Introduction
A critical vulnerability has been disclosed in Cursor, a widely adopted AI-assisted development environment with over 7 million active users. Identified by Mindgard and reported to the vendor in December 2025 without a subsequent patch, this flaw allows attackers to achieve arbitrary code execution (ACE) simply by having a developer open a malicious repository.
This is not a complex race condition or an obscure logic bug; it is a fundamental failure to validate execution paths. When a user loads a project, Cursor searches for git binaries. If a malicious actor plants a git.exe in the root of the repository, Cursor executes it automatically—without prompts, warnings, or user interaction—on a recurring cadence. Given the vendor's apparent inaction, defenders must implement immediate compensating controls to prevent supply chain compromises via this vector.
Technical Analysis
Affected Products & Platforms:
- Product: Cursor IDE (Windows versions)
- Platform: Windows (Primary focus of the PoC; macOS/Linux potentially susceptible depending on binary path resolution)
Vulnerability Details:
- Vulnerability Type: Untrusted Search Path / Relative Path Execution
- CWE ID: CWE-426 (Untrusted Search Path)
- Attack Vector: Local (via cloned repository)
- Impact: Arbitrary Code Execution, Privilege Escalation (context of the user running the IDE)
How the Attack Works:
- Initial Compromise: An attacker creates a public or private repository containing a malicious payload named
git.exe. - Victim Action: A developer, using the Cursor IDE, clones or opens this repository.
- Exploitation: Upon loading the workspace, Cursor initiates its internal version control checks. It searches for
gitbinaries in standard locations but fails to sanitize the current working directory. - Execution: Cursor discovers and executes the malicious
git.exefrom the project root. - Persistence: The IDE repeats this check on a set cadence, ensuring the malicious code is re-executed periodically.
Exploitation Status:
- Status: Public Disclosure / Unpatched
- PoC: Concept demonstrated by Mindgard. No patch is currently available.
Detection & Response
Given the lack of a vendor patch, detection is your primary defense. Below are specific Sigma rules, KQL hunts, and artifacts to identify this behavior in your environment.
---
title: Potential Malicious Git Execution by Cursor IDE
id: 8c7b9d1a-2f4e-4b1c-9a5d-1e3b6c8d9f0a
status: experimental
description: Detects Cursor IDE executing git.exe from non-standard paths (e.g., project root), indicating a potential binary planting attack.
references:
- https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left
author: Security Arsenal
date: 2026/07/16
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: 'Cursor.exe'
selection_child:
Image|endswith: '\git.exe'
filter_legit_git:
Image|contains:
- '\Program Files\Git\'
- '\Git\cmd\'
- '\Git\bin\'
condition: selection_parent and selection_child and not filter_legit_git
falsepositives:
- Legitimate custom git installations in user profile (rare)
level: high
---
title: Suspicious Git.exe Execution from User Directories
id: 9d8e0a2b-3c5f-5d2e-0b6e-2f4c7d8e0a1b
status: experimental
description: Detects execution of git.exe from common user source code directories (Desktop, Documents, Downloads) which deviates from standard installation paths.
references:
- https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left
author: Security Arsenal
date: 2026/07/16
tags:
- attack.execution
- cve
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\git.exe'
Image|contains:
- '\Users\'
- '\Desktop\'
- '\Documents\'
- '\Downloads\'
filter_legit:
Image|contains:
- '\AppData\Local\Programs\Git\'
- '\Program Files\Git\'
condition: selection and not filter_legit
falsepositives:
- Developers running portable git binaries
level: medium
---
title: Repeated Execution of Binary in Project Root
id: 0a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects rapid repeated execution of the same binary from a project root directory, characteristic of the Cursor IDE cadence check.
references:
- https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left
author: Security Arsenal
date: 2026/07/16
tags:
- attack.execution
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '.exe'
- '.bat'
- '.cmd'
CommandLine|contains: '.git'
timeframe: 5m
condition: selection | count() > 3
falsepositives:
- Heavy scripting or automated build tools
level: low
// KQL Hunt for Microsoft Sentinel / Defender for Endpoint
// Hunt for git.exe executions originating from user profiles or non-standard paths,
// specifically checking for parent processes associated with dev tools.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "git.exe"
| where not(FolderPath has @"Program Files" or FolderPath has @"Program Files (x86)" or FolderPath has @"Windows\System32")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ProcessCommandLine
| where InitiatingProcessFileName contains "Cursor" or InitiatingProcessFileName contains "cursor"
| order by Timestamp desc
// Velociraptor VQL Artifact to hunt for suspicious git.exe executions
// and scan for git.exe in common project directories.
LET suspicious_files = SELECT FullPath, Mtime
FROM glob(globs="*/Users/*/Desktop/git.exe")
WHERE NOT FullPath =~ "Program Files"
SELECT * FROM foreach(row=suspicious_files,
query={
SELECT FullPath, Mtime,
exec(cmd="powershell -command " + "(Get-FileHash -Path '" + FullPath + "').Hash") as Hash
FROM scope()
})
# Remediation Script: Scan and Block Malicious Git Binaries
# Usage: Run as Administrator. This script scans common source directories
# for git.exe and creates a firewall block rule if found outside standard paths.
$StandardPaths = @("C:\Program Files\Git", "C:\Program Files (x86)\Git")
$UserProfiles = Get-ChildItem "C:\Users" -Directory
$SuspiciousFound = $false
foreach ($Profile in $UserProfiles) {
$SearchPaths = @(
"$($Profile.FullName)\Desktop",
"$($Profile.FullName)\Documents",
"$($Profile.FullName)\Downloads",
"$($Profile.FullName)\Source",
"$($Profile.FullName)\repos"
)
foreach ($Path in $SearchPaths) {
if (Test-Path $Path) {
$MaliciousGit = Get-ChildItem -Path $Path -Filter "git.exe" -Recurse -ErrorAction SilentlyContinue
foreach ($File in $MaliciousGit) {
$IsStandard = $false
foreach ($Std in $StandardPaths) {
if ($File.FullName -like "$Std*") { $IsStandard = $true }
}
if (-not $IsStandard) {
Write-Host "[!] Suspicious git.exe found at: $($File.FullName)" -ForegroundColor Red
$SuspiciousFound = $true
# Quarantine / Delete action (Commented out for safety - enable as needed)
# Remove-Item -Path $File.FullName -Force
# Block execution via Firewall Rule
$RuleName = "Block Malicious Git - $($File.Name)"
if (-not (Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue)) {
New-NetFirewallRule -DisplayName $RuleName -Direction Outbound -Program $File.FullName -Action Block
Write-Host "[+] Created Firewall Block Rule for: $($File.FullName)" -ForegroundColor Yellow
}
}
}
}
}
}
if (-not $SuspiciousFound) {
Write-Host "No suspicious git.exe files found in standard user directories." -ForegroundColor Green
}
Remediation
As of this publication, no official patch exists for this vulnerability. Defenders must rely on strict configuration management and network hygiene.
Immediate Workarounds:
- Restrict Execution Paths (WDAC/AppLocker): Implement Windows Defender Application Control (WDAC) or AppLocker policies to explicitly deny the execution of
git.exefrom user-writable directories (e.g.,C:\Users\*\*,C:\Dev\*). Allow execution only from trusted directories likeC:\Program Files\Git\. - Halt Usage of Cursor for Untrusted Code: Advise development teams to pause the use of Cursor IDE when cloning or opening repositories from untrusted sources.
- Pre-Commit Scanning: Implement pre-commit hooks or repository scanning tools (e.g., pre-receive hooks in GitLab/GitHub) to reject commits containing
git.exeor other suspicious binaries in the repository root. - Network Segmentation: Ensure development workstations do not have broad unnecessary network access. If a workstation is compromised, lateral movement should be inhibited.
Vendor Advisory:
- Mindgard Disclosure: Cursor 0day: When Full Disclosure Becomes the Only Protection Left
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment Vulnerability Management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.