By rssfeeds-admin Apple’s primary defense mechanism for preventing unauthorized access to sensitive user data is the use of the microphone, camera, and documents.
The vulnerability, tracked as CVE-2025-43530, exploits a flaw in the VoiceOver screen reader framework through the com. Apple. Scrod service.
VoiceOver, Apple’s built-in accessibility tool for visually impaired users, runs with special system permissions that grant it broad access to user data.
Attackers can exploit this service to execute arbitrary AppleScript commands and send AppleEvents to any application, including Finder, thereby circumventing TCC security controls.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-43530 |
| Vulnerability Type | TCC Bypass via Private API Exploitation |
| Affected Component | ScreenReader.framework (VoiceOver), com.apple.scrod MIG Service |
| Attack Vector | Local – Dynamic Library (Dylib) Injection or TOCTOU Attack |
| Impact | Complete TCC bypass, arbitrary AppleScript execution, access to sensitive user data |
How the Attack Works
The vulnerability exists in two distinct methods. First, attackers can inject malicious code into Apple-signed system binaries, a process that requires no administrative privileges.
The verification logic incorrectly trusts any code signed by Apple, failing to distinguish between legitimate system processes and compromised ones.
Second, a Time-of-Check-Time-of-Use (TOCTOU) attack allows attackers to bypass validation checks by manipulating the application between security verification and execution.
When combined, these weaknesses create a straightforward path to complete TCC evasion. Once exploited, attackers can read sensitive documents, access the microphone, interact with the Finder, and execute arbitrary AppleScript code without user notification or consent.
This effectively renders macOS TCC protections useless for affected systems. Apple addressed this vulnerability in macOS 26.2 by implementing a more robust entitlement-based validation system.
The patch now requires processes to possess the specific “com.apple.private.accessibility.scrod” entitlement and validates this entitlement directly through the client’s audit token rather than using file-based verification.
This approach eliminates both the injection vulnerability and the TOCTOU window. All macOS users should immediately update to macOS 26.2 or later to protect against this critical TCC bypass vulnerability.
According to jhftss reports published on GitHub, a working proof of concept is publicly available, suggesting active exploitation is likely.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post New macOS TCC Bypass Vulnerability Allow Attackers to Access Sensitive User Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.