macOS Flaw Lets Standard Users Disable EDR and MDM
ID: 796dcd67-9a28-522d-92bb-84168094fffd
STIX ID: report--796dcd67-9a28-522d-92bb-84168094fffd
Feed Name: Infosecurity Magazine (News)
XM Cyber disclosed a macOS issue where XPC's cached trust of signed applications can be abused by a non-root user to call privileged helper functions in endpoint and MDM products, enabling the silent disabling or removal of security agents (validated against CrowdStrike Falcon and Kandji—CVE-2026-39118). The researcher published an open-source scanner (XPC Hunter) and advised developers to validate caller identities using Apple-provided checks since macOS 13; vendors have issued mitigations.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
