Apple's MacOS Gap Lets Users Disable Security Tools
Dark ReadingArchived Jun 24, 2026✓ Full text saved
Attackers can exploit the issue to disable security and integrated browser tools without needing administrator privileges or kernel exploits.
Full text archived locally
✦ AI Summary· Claude Sonnet
APPLICATION SECURITY
CYBER RISK
THREAT INTELLIGENCE
VULNERABILITIES & THREATS
NEWS
Apple's MacOS Gap Lets Users Disable Security Tools
Attackers can exploit the issue to disable security and integrated browser tools without needing administrator privileges or kernel exploits.
Jai Vijayan,Contributing Writer
June 24, 2026
4 Min Read
SOURCE: MACONDO VIA SHUTTERSTOCK
Researchers have uncovered a novel macOS privilege-escalation technique that allows a user with standard privileges to disable enterprise security tools and invoke privileged functions without administrator credentials.
The technique exploits how macOS establishes and validates application trust information. It enables an attacker to impersonate trusted application components and silently perform actions that should only be available to privileged processes.
Disabling EDR and MDM
Researchers at XM Cyber who developed the technique showed how an attacker could use it to disable CrowdStrike Falcon Endpoint Detection and Response (EDR) and Kandji Mobile Device Management (MDM) without needing any administrator credentials or kernel exploits and without triggering any alert.
According to XM Cyber, the issue potentially affects other macOS applications that provide privileged Cross-Process Communication (XPC) services and rely on Apple's CDHash, a cryptographic identifier for verifying an application's authenticity. "MacOS applications routinely expose privileged XPC services running as root — yet the trust boundaries protecting these interfaces are fundamentally flawed," said XM Cyber senior security researcher Hillel Pinto, in a report this week.
Related:'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows
XM Cyber has developed an open source large language model (LLM)-powered tool it named XPC Hunter to help security researchers look for exploitable macOS XPC privilege escalation vulnerabilities across other macOS applications. The company plans to release XPC Hunter at Black Hat USA in August.
MacOS XPC services allow different applications or processes to talk to each other in a secure manner. Security tools, MDM agents, system utilities, and many other macOS apps use XPC services to request privileged operations from background root processes for tasks such as installing system extensions, accessing kernel-level telemetry, or unloading security components.
Dark Reading contacted Apple but received no response at press time.
A Problem With Caching, Reusing
The core problem, according to XM Cyber, lies in how macOS caches and reuses an application's CDHash or the cryptographic fingerprint that the OS uses to verify an application's authenticity. XM Cyber found that once macOS caches CDHash, the operating system continues to trust the application even if an attacker were to later modify some of its components. This allows a standard user to impersonate legitimate application components and call privileged XPC services that should only be accessible to properly signed vendor code. XM Cyber showed how an attacker could exploit the weakness to inject malicious code into a so-called NIB file inside a trusted application and trick the system into running privileged commands.
Related:DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories
XM Cyber used the technique to "completely unload the CrowdStrike Falcon endpoint security sensor" and effectively neutralize all its endpoint detection, network visibility and process monitoring capabilities on a macOS system, Pinto said. The company was able to similarly permanently deactivate Kandji MDM. "Beyond these two specific products, the underlying CDHash cache exploitation + NIB injection technique represents a generic attack primitive applicable to any macOS application that exposes privileged XPC services and includes a user-facing app component with injectable NIBs," Pinto said.
Iru Inc. has released an updated version of its Kandji Agent software that protects against the exploit on macOS systems after XM Cyber informed the company about the vulnerability (CVE-2026-39118). XM Cyber said it has notified CrowdStrike about the vulnerability as well, though it is not clear if the latter has released a patch for it yet. "Disclosure is ongoing with CrowdStrike's security team," Pinto said.
Related:FIFA Bug Exposes World Cup Streams to Remote Takeover
Potentially Large Impact
In comments to Dark Reading, Pinto describes the problem as a flaw in macOS itself that affects applications that rely on the Apple-provided XPC functionality. "If Apple had fixed the underlying issue in macOS, these products would not be vulnerable through this attack vector," Pinto says. "However, Apple has stated that they do not intend to address the bug," he claims. "Consequently, affected vendors must implement their own mitigations and hardening measures. Kandji, for example, has done an excellent job addressing the issue."
Pinto stresses that not all macOS applications are vulnerable. The issue affects applications that implement XPC communication between their components, which, in practice, includes a large portion of the macOS ecosystem. "Developers using XPC should review and strengthen their validation logic to ensure their applications cannot be exploited through the vulnerability," he says.
XPC Hunter itself is solely a research tool to help security researchers identify, validate, and demonstrate the vulnerability within their own environments and with applications they own or are authorized to test, he points out. "The exploitation capabilities are provided exclusively for proof-of-concept and research purposes," Pinto notes.
About the Author
Jai Vijayan
Contributing Writer
Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.
Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
Editor's Choice
APPLICATION SECURITY
FIFA Bug Exposes World Cup Streams to Remote Takeover
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBERSECURITY OPERATIONS
EU Gets a Head Start in Developing 6G Network Security
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBER RISK
UK Social Media Ban for Minors Has Privacy Experts Worried
byRobert Lemos
JUN 17, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS