Apple's MacOS Gap Lets Users Disable Security Tools
ID: 1975f739-3d35-53aa-b384-c571803d4786
STIX ID: report--1975f739-3d35-53aa-b384-c571803d4786
Feed Name: Dark Reading
Researchers from XM Cyber disclosed a macOS privilege-escalation technique that exploits CDHash caching and NIB injection to impersonate trusted application components and invoke privileged XPC services without administrator credentials. Using this method they demonstrated disabling CrowdStrike Falcon EDR and Kandji MDM; Kandji released a patched agent (CVE-2026-39118). XM Cyber plans to release an LLM-assisted research tool called XPC Hunter. The issue stems from macOS trust/cache behavior for XPC services and may affect many apps that expose privileged XPC interfaces, while Apple has reportedly declined to address the underlying OS flaw.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
