Critical Vulnerability in ExifTool
ExifTool, a widely-used open-source tool for managing file metadata, has been identified with a serious security weakness affecting macOS users. This flaw, known as CVE-2026-3102, was discovered by Kaspersky’s Global Research and Analysis Team in February 2026. It allows attackers to execute arbitrary shell commands by embedding malicious code within an image file’s metadata.
Exploiting Image Metadata
By embedding harmful instructions into what appears to be a harmless image, cybercriminals can stealthily deploy malware, steal data, or gain unauthorized access to networks. The root of this vulnerability lies in the inadequate sanitization of input data, permitting dangerous code to execute.
Researchers pinpointed an issue with the SetMacOSTags function. When ExifTool processes file creation dates on macOS, it uses the Spotlight system attribute, MDItemFSCreationDate, which corresponds to FileCreateDate internally. The text content of the tag is assigned to the $val variable, and if it matches the file creation date, this data is processed by the SetMacOSTags function.
Method of Exploitation
While filename parameters are correctly handled before reaching the system() function, the date value ($val) remains unsanitized. This oversight enables attackers to inject shell commands through single quotes, allowing arbitrary command execution with the same privileges as the user running ExifTool.
Attackers bypass ExifTool’s built-in filters by using the -n flag, which compels ExifTool to accept raw data, thus avoiding sanitization. They exploit ExifTool’s copy feature by injecting a payload into an unrestricted source tag, like DateTimeOriginal, and then transferring the tainted data into FileCreateDate.
Mitigation and Future Outlook
Following the discovery, ExifTool version 13.50 was released to address this flaw. The update significantly changes the system call architecture, transitioning from concatenated strings to a secure list of arguments, thereby eliminating shell execution risks.
Organizations using macOS for tasks such as photo processing or asset management are advised to update to ExifTool version 13.50 or newer. It is also recommended to scan for any third-party software using outdated ExifTool libraries and to isolate the handling of untrusted files in secure virtual environments.
Staying informed on security updates and maintaining strict security policies are crucial for organizations to protect against such vulnerabilities. For more updates, follow us on Google News, LinkedIn, and X.
