What is the security flaw discovered in macOS?

The security flaw allows standard user accounts to disable some enterprise security tools without administrator credentials.

How does the attack work according to XM Cyber?

The attack starts by modifying parts of a legitimate signed application with a malicious payload, retaining the trust relationship to invoke privileged XPC methods.

Who first discovered this security flaw?

Security firm XM Cyber discovered the technique.

Why is this security flaw significant for adult-industry platforms and operators?

The ability to disable protection tools could allow attackers to evade detection and compromise sensitive data, given the industry's reliance on secure streaming and webcam infrastructure.

What kind of systems are typically targeted by this security flaw?

Adult-industry platforms often rely on macOS-based servers and workstations configured with enterprise security tools.

Security Flaw in macOS Allows Hackers to Disable Protection Tools

Researchers found a technique that can let standard user accounts disable enterprise security tools on Macs, potentially leaving users vulnerable to attacks.

A recently discovered security flaw in macOS could allow hackers to disable protection tools on Macs running Apple's operating system, potentially leaving users vulnerable to attacks.

What Happened

Security firm XM Cyber found a technique that can let standard user accounts disable some enterprise security tools without administrator credentials. The researchers disclosed their findings ahead of a planned Black Hat Arsenal presentation in August, where they'll demonstrate an open-source tool called XPC Hunter.

The attack starts when a user launches a legitimate signed application and macOS caches its trust fingerprint. Researchers claim an attacker can then modify parts of the application bundle with a malicious payload while retaining that trust relationship. The cached trust relationship can reportedly allow a standard user account to invoke privileged XPC methods normally reserved for trusted software components.

Background and Context

XPC is Apple's framework for communication between applications and background services. Developers commonly use XPC to let apps request administrative actions while keeping privileged functions separate from user-facing software. However, XM Cyber argues that some developers rely too heavily on code-signing trust when deciding which software can call sensitive XPC methods.

The researchers' technique targets how some applications verify requests sent to privileged services. They claim the issue stems from how some applications establish trust rather than from a direct bypass of macOS security protections. The attack requires access to an existing account, limiting its reach but not making it insignificant. Attackers who gain access to a Mac often try to disable monitoring tools before moving deeper into a system or network.

Why It Matters to the Industry

The discovery of this security flaw has significant implications for adult-industry platforms and operators, particularly those relying on macOS-based infrastructure. The ability to disable protection tools could allow attackers to evade detection and compromise sensitive data. This is especially concerning given the industry's reliance on secure streaming and webcam infrastructure.

Adult-industry platforms often rely on macOS-based servers and workstations for their operations. These systems are typically configured with enterprise security tools, such as CrowdStrike Falcon and Kandji, to protect against threats. However, if these tools can be disabled by a standard user account, the entire security posture of the system is compromised.

What Comes Next

The researchers have disclosed their findings to affected vendors before publication. Apple hasn't published a security advisory tied to the research or independently validated XM Cyber's findings. Kandji has since fixed the reported vulnerability and assigned CVE-2026-39118 in the public database of known computer exploits.

Key Facts

The researchers discovered a technique that can let standard user accounts disable some enterprise security tools without administrator credentials.
The attack requires access to an existing account, limiting its reach but not making it insignificant.
The cached trust relationship can reportedly allow a standard user account to invoke privileged XPC methods normally reserved for trusted software components.
XM Cyber argues that the issue stems from how some applications establish trust rather than from a direct bypass of macOS security protections.
Kandji has since fixed the reported vulnerability and assigned CVE-2026-39118 in the public database of known computer exploits.

In related news, a community guide to securing and improving privacy on macOS has been published on GitHub. The guide provides techniques for improving the security and privacy of Apple silicon Mac computers running a currently supported version of macOS. It targets power users who wish to adopt enterprise-standard security but is also suitable for novice users with an interest in improving their privacy and security on a Mac.