CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 24, 2026

Apple's MacOS Gap Lets Users Disable Security Tools

Dark Reading Archived Jun 24, 2026 ✓ Full text saved

Attackers can exploit the issue to disable security and integrated browser tools without needing administrator privileges or kernel exploits.

Full text archived locally
✦ AI Summary · Claude Sonnet


    APPLICATION SECURITY CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Apple's MacOS Gap Lets Users Disable Security Tools Attackers can exploit the issue to disable security and integrated browser tools without needing administrator privileges or kernel exploits. Jai Vijayan,Contributing Writer June 24, 2026 4 Min Read SOURCE: MACONDO VIA SHUTTERSTOCK Researchers have uncovered a novel macOS privilege-escalation technique that allows a user with standard privileges to disable enterprise security tools and invoke privileged functions without administrator credentials. The technique exploits how macOS establishes and validates application trust information. It enables an attacker to impersonate trusted application components and silently perform actions that should only be available to privileged processes. Disabling EDR and MDM Researchers at XM Cyber who developed the technique showed how an attacker could use it to disable CrowdStrike Falcon Endpoint Detection and Response (EDR) and Kandji Mobile Device Management (MDM) without needing any administrator credentials or kernel exploits and without triggering any alert.   According to XM Cyber, the issue potentially affects other macOS applications that provide privileged Cross-Process Communication (XPC) services and rely on Apple's CDHash, a cryptographic identifier for verifying an application's authenticity. "MacOS applications routinely expose privileged XPC services running as root — yet the trust boundaries protecting these interfaces are fundamentally flawed," said XM Cyber senior security researcher Hillel Pinto, in a report this week. Related:'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows XM Cyber has developed an open source large language model (LLM)-powered tool it named XPC Hunter to help security researchers look for exploitable macOS XPC privilege escalation vulnerabilities across other macOS applications. The company plans to release XPC Hunter at Black Hat USA in August. MacOS XPC services allow different applications or processes to talk to each other in a secure manner. Security tools, MDM agents, system utilities, and many other macOS apps use XPC services to request privileged operations from background root processes for tasks such as installing system extensions, accessing kernel-level telemetry, or unloading security components. Dark Reading contacted Apple but received no response at press time.  A Problem With Caching, Reusing The core problem, according to XM Cyber, lies in how macOS caches and reuses an application's CDHash or the cryptographic fingerprint that the OS uses to verify an application's authenticity. XM Cyber found that once macOS caches CDHash, the operating system continues to trust the application even if an attacker were to later modify some of its components. This allows a standard user to impersonate legitimate application components and call privileged XPC services that should only be accessible to properly signed vendor code. XM Cyber showed how an attacker could exploit the weakness to inject malicious code into a so-called NIB file inside a trusted application and trick the system into running privileged commands. Related:DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories XM Cyber used the technique to "completely unload the CrowdStrike Falcon endpoint security sensor" and effectively neutralize all its endpoint detection, network visibility and process monitoring capabilities on a macOS system, Pinto said. The company was able to similarly permanently deactivate Kandji MDM. "Beyond these two specific products, the underlying CDHash cache exploitation + NIB injection technique represents a generic attack primitive applicable to any macOS application that exposes privileged XPC services and includes a user-facing app component with injectable NIBs," Pinto said. Iru Inc. has released an updated version of its Kandji Agent software that protects against the exploit on macOS systems after XM Cyber informed the company about the vulnerability (CVE-2026-39118). XM Cyber said it has notified CrowdStrike about the vulnerability as well, though it is not clear if the latter has released a patch for it yet. "Disclosure is ongoing with CrowdStrike's security team," Pinto said. Related:FIFA Bug Exposes World Cup Streams to Remote Takeover Potentially Large Impact In comments to Dark Reading, Pinto describes the problem as a flaw in macOS itself that affects applications that rely on the Apple-provided XPC functionality. "If Apple had fixed the underlying issue in macOS, these products would not be vulnerable through this attack vector," Pinto says. "However, Apple has stated that they do not intend to address the bug," he claims. "Consequently, affected vendors must implement their own mitigations and hardening measures. Kandji, for example, has done an excellent job addressing the issue." Pinto stresses that not all macOS applications are vulnerable. The issue affects applications that implement XPC communication between their components, which, in practice, includes a large portion of the macOS ecosystem. "Developers using XPC should review and strengthen their validation logic to ensure their applications cannot be exploited through the vulnerability," he says. XPC Hunter itself is solely a research tool to help security researchers identify, validate, and demonstrate the vulnerability within their own environments and with applications they own or are authorized to test, he points out. "The exploitation capabilities are provided exclusively for proof-of-concept and research purposes," Pinto notes. About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗