logo

Apple's MacOS Gap Lets Users Disable Security Tools

ID: 1975f739-3d35-53aa-b384-c571803d4786

STIX ID: report--1975f739-3d35-53aa-b384-c571803d4786

Feed Name: Dark Reading

Threat Score
75/100

Date Published: 2026-06-24

Date Updated: 2026-06-24

Author: Jai Vijayan

...
...

Researchers from XM Cyber disclosed a macOS privilege-escalation technique that exploits CDHash caching and NIB injection to impersonate trusted application components and invoke privileged XPC services without administrator credentials. Using this method they demonstrated disabling CrowdStrike Falcon EDR and Kandji MDM; Kandji released a patched agent (CVE-2026-39118). XM Cyber plans to release an LLM-assisted research tool called XPC Hunter. The issue stems from macOS trust/cache behavior for XPC services and may affect many apps that expose privileged XPC interfaces, while Apple has reportedly declined to address the underlying OS flaw.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.