By Anurag Chawake •
Security researchers have disclosed a new macOS flaw that lets attackers shut down your security software after getting onto your machine — no admin password, no kernel exploit, and almost no trace left behind.
The attack takes advantage of how macOS apps earn each other’s trust, and if you use a Mac at work, it is exactly the type of thing your IT needs to know about.
Mac users have long enjoyed a reputation for being safer from malware and cyberattacks than their Windows counterparts, thanks in part to Apple’s tighter control over hardware and software. But security experts warn that no operating system is immune. As Macs have grown more popular in homes and workplaces, they’ve become increasingly attractive targets for hackers, who now routinely search for flaws in macOS and third-party applications.
This new exploit abuses macOS’s built-in app trust mechanisms to disable enterprise security tools from within.
The flaw was discovered by security firm XM Cyber. The company plans to give a full public demo at the Black Hat Arsenal, which will be held in Las Vegas this August. They are also planning to release a free tool called XPC Hunter that scans Macs for the same weakness.
The exploit lives in XPC — Apple’s framework that enables apps to communicate with background services requiring elevated permissions. Normally, macOS checks the cryptographic signature of an app to see if it’s legitimate. Once it passes, the system caches the result instead of re-checking to speed up things.
The caching is a problem. Researchers say an attacker can simply launch a signed app to gain macOS’s trust and insert malicious code. From here, the attacker can use privileged functionality reserved for the security software, which includes commands built to turn it off for maintenance.
Instead of using kernel exploits or bypassing System Integrity Protection, the flaw turns Apple’s very own trust system against itself.
XM Cyber successfully tested the technique against CrowdStrike Falcon and Kandji. For context, these two security and device management platforms are widely used on company-owned Macs.
But a CrowdStrike spokesperson told Cult of Mac on Thursday, after the news broke, that, “The technique exploits a macOS issue, and we have detections and preventions in place for the Falcon sensor.”
Kandji has shipped a fix and even earned an entry in the public vulnerability database (CVE-2026-39118).
At the time of writing, Apple hasn’t issued a security advisory nor has it independently confirmed the findings. For a platform used by enterprises, silence does not look great.
Developers already have a fix: Apple’s own API lets them verify who’s calling them instead of relying on a cached signature.
Unfortunately, there’s no way to patch this exploit yourself, but you can reduce the risk. Use a strong, unique password and enable two-factor authentication wherever you can. Also, make sure to update macOS and company security software, since fixes are currently being rolled out vendor by vendor.
If you happen to manage Macs for a living, it’s time to push security vendors for a timeline before XPC Hunter goes public at Black Hat.
Anurag Chawake is a tech-focused writer specializing in smartphones, apps and consumer technology. His interest in computers began during the Windows 98 era, eventually leading him to explore everything from operating systems to mobile devices and PC hardware. Anurag previously contributed to The Indian Express, covering Apple, Android, gaming and the broader technology landscape.
Your email address will not be published. Required fields are marked *
Our daily roundup of Apple news, reviews and how-tos. Plus the best Apple tweets, fun polls and inspiring Steve Jobs bons mots. Our readers say: “Love what you do” — Christi Cardenas. “Absolutely love the content!” — Harshita Arora. “Genuinely one of the highlights of my inbox” — Lee Barnett.
Copyright © 2026 – Cult of Mac. All rights reserved.
A daily blast of Apple news, reviews, how-tos and deals, delivered straight to your inbox.
By signing up, you agree to the Terms of Service and Privacy Policy.
Thank you! You’ll be hearing from us soon.
Thank you! You’ll be hearing from us soon.
Leave a Reply