Windows Mcp
Monthly
Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.
Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.