A Five Eyes intelligence alliance has issued an urgent warning, warning that advanced artificial intelligence could soon allow cyberattack...
Chinese artificial intelligence company Z.ai, formerly known as Zhipu AI, has introduced GLM 5.2, an open-weight large language model that is attracting attention among developers for combining advanced AI capabilities with the flexibility to run on privately owned hardware. Unlike proprietary AI platforms such as ChatGPT and Claude, which are primarily accessed through cloud-based subscriptions, GLM 5.2 allows developers to download, customize, and deploy the model within their own computing environments, offering greater control over infrastructure, privacy, and operational costs.
The release comes as open-weight AI models continue to narrow the performance gap with leading commercial systems. While proprietary models have traditionally dominated the AI ecosystem with stronger reasoning capabilities, newer open-weight alternatives, including Meta's Llama family, Mistral, and now GLM 5.2, are demonstrating that many enterprise workloads no longer require exclusive reliance on premium cloud-hosted models. Businesses commonly use AI to summarize extensive document repositories, generate and debug software code, automate repetitive workflows, and retrieve information from internal knowledge bases, making cost-efficient deployment an increasingly important consideration.
Unlike fully open-source AI projects that typically publish training code, data processing pipelines, evaluation frameworks, and other development components, open-weight models primarily provide access to the trained model parameters. This enables organizations to fine-tune and integrate the model into their own applications while maintaining considerably more flexibility than closed AI services, where the underlying model remains inaccessible.
Interest in GLM 5.2 has also grown following demonstrations showing the model running locally on high-end Apple systems, including the Mac mini. Although these deployments require powerful hardware, they illustrate how advanced AI models are gradually becoming practical outside centralized cloud infrastructure. For organizations handling sensitive financial information, medical records, intellectual property, or confidential research, local deployment reduces the need to transmit data to third-party platforms, strengthening privacy protections while supporting regulatory compliance and data sovereignty requirements.
Despite its flexibility, GLM 5.2 remains an exceptionally demanding model. Built using a Mixture-of-Experts architecture containing between 744 billion and 753 billion parameters, the model occupies approximately 1.51TB of storage and memory in its original form. Developers therefore rely on quantization, a compression technique that reduces memory requirements by lowering the numerical precision of model weights. Even after aggressive optimization, approximately 240GB of memory is still required to load the model. GLM 5.2 also supports a one-million-token context window, allowing it to process entire software repositories, lengthy technical documentation, and extensive research collections within a single prompt, though doing so places additional demands on system memory.
As organizations continue evaluating how AI should be deployed across their operations, GLM 5.2 reflects a broader industry movement toward flexible AI ecosystems where proprietary, open-weight, and locally hosted models each serve different operational needs. Rather than replacing commercial AI platforms outright, models such as GLM 5.2 provide businesses with additional options to balance performance, cost, security, and data control as enterprise AI adoption continues to evolve.
The IDE is employed by more than half of the Fortune 500. Both RCE flaws, called “DuneSlide,” were given a 9.8 CVSS score. The security bugs are tracked as CVE-2026-50548 and CVE-2026-50549.
The bugs demonstrated how prompt injection can move beyond the LLM layer and reveal classical bugs in code paths that were earlier not thought of as part of the attack surface.
A threat actor can exploit either of these bugs to overwrite critical system files (such as cursorsandbox binary), changing sandboxed comments into unsandboxed RCE and resulting in a full system hack on both the victim device and linked SaaS workspaces.
Bugs found: Cato AI Labs found two separate, critical bugs in Cursor IDE, resulting in non-sandboxed RCEs on the victim’s system.
Arbitrary file write through prompt injection: Via zero-click prompt injection, these bugs could let a threat actor use zero-click prompt injections to write arbitrary files on the target’s local system.
Escaping sandbox and RCE: If leveraged, a threat actor can jump out of the terminal sandbox and attain a full RCE and a complete device exploit.
Zero-click attack vector: The exploit doesn’t need any prior user privileges or particular interaction. It is prompted when a target makes an “makes an innocuous prompt that inadvertently ingests a threat actor-controlled payload from an untrusted source, such as an MCP server or a web search result,” Cato AI Labs reported.
The first bug surfaces from how the sandbox creates its security boundaries based on tool parameters. If a sandbox command is executed, Cursor creates a seatbelt policy that allows writing into the present working directory.
This means that a remote hacker cannot command the working directory of a sandboxed operation because coding agents are a unique part of software. But, in this bug, a prompt injection works as the passageway to that part of the code.
The second vulnerability is fully independent of the first and exists in Cursor’s file path resolution edge instances. It allows hackers to avoid beyond-limits write restrictions via symbolic links.
In most traditional software, an external hacker cannot remotely generate symlinks on the target's system. In this scenario, a prompt injection changed the Cursor agent to a bridgehead for non-trivial activities that end in a full system compromise.