<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Binary-Planting - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/binary-planting/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 15:18:04 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/binary-planting/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-63093: Binary Planting Vulnerability in Cursor for Windows</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-63093-cursor-binary-planting/</link><pubDate>Fri, 17 Jul 2026 15:18:04 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-63093-cursor-binary-planting/</guid><description>CVE-2026-63093 describes a binary planting vulnerability in Cursor for Windows version 3.2.16 that allows a remote attacker to achieve arbitrary code execution by placing a malicious `git.exe` file in a crafted repository's root, which the Cursor IDE automatically executes during startup or on a recurring cadence when a developer opens the repository, running the malicious binary under the privileges of the current user.</description><content:encoded><![CDATA[<p>CVE-2026-63093 identifies a critical binary planting vulnerability affecting Cursor for Windows, specifically version 3.2.16. This flaw enables remote attackers to execute arbitrary code on a victim's system. The mechanism involves an attacker crafting a malicious Git repository containing a specially prepared <code>git.exe</code> executable in its root directory. When an unsuspecting developer clones and subsequently opens this crafted repository within the vulnerable Cursor IDE, the application automatically resolves and executes the workspace-resident malicious <code>git.exe</code> binary. This execution occurs without any further user interaction, both during the IDE's startup phase and at regular, timed intervals, granting the attacker code execution capabilities under the privileges of the user running Cursor. This vulnerability poses a significant supply chain risk, as developers could unknowingly introduce malware into their development environments simply by interacting with a seemingly legitimate code repository.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Git repository containing a hostile <code>git.exe</code> binary placed in the repository's root directory.</li>
<li>The attacker publishes or otherwise makes this crafted repository available to target developers (e.g., via a phishing campaign, compromised repository, or social engineering).</li>
<li>A developer clones the malicious repository to their local machine using any Git client.</li>
<li>The developer opens the newly cloned repository within the vulnerable Cursor for Windows IDE (version 3.2.16 or earlier).</li>
<li>Upon opening the repository or during a recurring background process, the Cursor IDE automatically attempts to resolve and execute the <code>git.exe</code> binary.</li>
<li>Due to the binary planting vulnerability, Cursor preferentially executes the malicious <code>git.exe</code> located within the repository's root instead of the legitimate <code>git.exe</code> installed on the system.</li>
<li>The malicious <code>git.exe</code> executes arbitrary code on the developer's system, inheriting the privileges of the user running Cursor.</li>
<li>The attacker achieves arbitrary code execution, potentially leading to full system compromise, data exfiltration, or further network lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-63093 leads to arbitrary code execution on the compromised developer's workstation. This gives attackers the ability to install additional malware, exfiltrate sensitive source code, steal credentials, establish persistence, or pivot into other systems within the organization's network. The nature of the attack, targeting developers' IDEs, makes it a potent vector for supply chain attacks, potentially compromising software projects and their end-users. The CVSS v3.1 Base Score of 8.8 reflects the severe consequences of this vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-63093 immediately by updating Cursor for Windows to a version beyond 3.2.16 as soon as a fix is available from the vendor.</li>
<li>Deploy the provided Sigma rule &quot;Detect CVE-2026-63093 Exploitation - Malicious git.exe Execution&quot; to your SIEM to identify suspicious <code>git.exe</code> executions originating from the Cursor IDE process.</li>
<li>Enable process creation logging, such as via Sysmon, to ensure the <code>process_creation</code> log source is captured for effective detection.</li>
<li>Educate developers about the risks of cloning and opening untrusted repositories, emphasizing code review and supply chain security best practices.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>binary-planting</category><category>ide</category><category>vulnerability</category><category>execution</category><category>windows</category></item></channel></rss>