Agents are finding security gaps
Security posts this week flagged that agents can bypass enterprise protections like EDRs and WAFs and called out CVEs in tools (e.g., Cursor, Figma MCP) as evidence of new attack surfaces introduced by agentic workflows. The thread underlines that scaling inter‑agent communication multiplies blast radius unless agent identity and runtime controls are enforced. (x.com) (x.com)
Researchers publicly assigned CurXecute and MCPoison to Cursor — CVE‑2025‑54135 and CVE‑2025‑54136 — with high CVSS scores and vendor patches issued in late July 2025 after coordinated disclosures. (tenable.com) Multiple vendor blogs and incident analyses say traditional WAFs and endpoint agents miss “east‑west” MCP traffic and agent‑to‑agent calls, and F5’s writeup cites thousands of MCP endpoints appearing as a new external attack surface. (salt.security) Public proof‑of‑concepts and repos show active work to weaponize agentic flows: an open BOAZ‑MCP repo advertises loaders for AV/EDR bypass, and reporting on “OpenClaw” details agents that can evade EDR, DLP, and IAM controls in lab tests. (github.com) Security vendors are responding with purpose‑built agent controls this quarter — Palo Alto published agentic‑endpoint guidance, CrowdStrike announced Falcon updates targeting agent security at RSA 2026, and Jozu launched a zero‑trust “Agent Guard” runtime in March 2026. (paloaltonetworks.com) Cloud Security Alliance and recent MCP digests call out an “authentication vacuum” for MCP servers and recommend mutual agent identity, signed requests, and per‑runtime policy enforcement to stop confused‑deputy delegation across agent chains. (cloudsecurityalliance.org) Application‑centric detection and new telemetry are being urged as compensating controls because vendors find EDR/WAF rule sets insufficient; application detection & response (ADR) vendors and network‑telemetry authors argue for instrumenting MCP calls and agent decision traces. (scworld.com)
