Recent research by cybersecurity firm XM Cyber has unveiled a method by which a standard user account can disable macOS enterprise security tools subtly and without detection. This technique does not require administrative privileges or kernel exploits, making it a significant concern for enterprise security.
Understanding the Exploit
The method leverages weaknesses such as poorly validated XPC connections and malicious payload injections into application Interface Builder (NIB) files. Although these tactics have been known and partially mitigated by Apple, the introduction of a new exploit chain highlights persisting vulnerabilities. This chain relies on the persistence of the kernel’s code-signing trust cache, allowing attackers to masquerade as trusted applications and execute privileged XPC methods undetected.
Impact on Security Tools
This exploit was demonstrated against well-known security tools, including the CrowdStrike Falcon Sensor, which was completely disabled from a non-administrative account. Similarly, Kandji MDM was deactivated through a two-stage process that bypassed EDR protections and shut down the Endpoint Security Framework extension. Both companies have taken steps to address the vulnerabilities, with CrowdStrike enhancing detection measures and Kandji releasing a patch identified as CVE-2026-39118.
Responses and Future Developments
In response to these findings, CrowdStrike has offered a bug bounty, and Kandji has quickly patched the vulnerability. Meanwhile, another unnamed enterprise EDR provider affected by the exploit is currently developing a fix. Looking ahead, XM Cyber plans to release XPC Hunter, an open-source tool designed to identify exploitable XPC privilege escalation points across macOS applications. This tool will be showcased at Black Hat US in August 2026.
Efforts to reach Apple, CrowdStrike, and Kandji for further comments have been made by SecurityWeek, and updates will follow if additional information becomes available. The cybersecurity community continues to monitor these developments closely as similar vulnerabilities could pose significant risks to enterprise security worldwide.
