XM Cyber Demonstrates macOS Attack Technique Disabling Endpoint Security Tools

What's Happening? Cybersecurity firm XM Cyber has revealed a new macOS attack technique that allows a non-administrative user to disable enterprise endpoint security tools without triggering alerts. This method exploits legitimate macOS behaviors rather than software vulnerabilities, using weakly-va

AI & New Tech

SEE ALL

Trendline

Constant Group Secures Major Contract with Openreach for Fibre Network Transformation

Trendline

SPHERE AX and Blaize Partner for AI Semiconductor Development

Trendline

Agility Robotics to Go Public via SPAC Merger, Valued at $2.5 Billion

What is the story about?

What's Happening?

Cybersecurity firm XM Cyber has revealed a new macOS attack technique that allows a non-administrative user to disable enterprise endpoint security tools without triggering alerts. This method exploits legitimate macOS behaviors rather than software vulnerabilities,

using weakly-validated XPC connections and malicious payload injections into application Interface Builder files. The attack was demonstrated against security tools like CrowdStrike Falcon Sensor and Kandji MDM, which were disabled from a standard user account. CrowdStrike has since addressed the issue, implementing detection and prevention measures, while Kandji has patched the flaw and assigned it CVE-2026-39118. A third unnamed vendor is also working on a patch. XM Cyber plans to release an open-source tool, XPC Hunter, to identify exploitable XPC privilege escalation surfaces in macOS applications.

Why It's Important?

This development highlights a significant vulnerability in macOS security, where legitimate system behaviors can be exploited to bypass security measures. The ability to disable endpoint security tools without administrative privileges poses a serious risk to enterprise security, potentially allowing malicious actors to conduct undetected attacks. The swift response from companies like CrowdStrike and Kandji underscores the importance of rapid vulnerability management and patching in cybersecurity. This incident also emphasizes the need for continuous monitoring and improvement of security protocols to protect against evolving threats.

What's Next?

XM Cyber plans to present their findings and the XPC Hunter tool at the Black Hat US conference in August 2026. This presentation will likely provide further insights into the vulnerabilities and potential mitigation strategies. Security firms and macOS users will need to stay vigilant and update their systems to protect against similar exploits. The broader cybersecurity community may also focus on developing more robust detection and prevention mechanisms to address such vulnerabilities in the future.