By exploiting a private API within the ScreenReader.framework ,a core component of the VoiceOver accessibility feature malicious actors can gain unauthorized access to sensitive user data.
The flaw resides in the system MIG service com.apple.scrod. This service is designed to handle screen reader operations and possesses powerful TCC entitlements, including permissions to access Apple Events, the microphone, and sensitive documents.
The vulnerability exists in how the service verifies if a client application is “trusted” before executing commands.
Specifically, the service uses a routine isTrusted to check the identity of the program requesting access.
However, instead of securely checking the client’s audit token (a secure identifier), the system uses the API SecStaticCodeCreateWithPath. This method checks the program’s file path rather than the running process itself.
This creates a critical security gap: the system validates the file on the disk, not the actual code running in memory.
Attackers can exploit this verification flaw using a Time-of-Check to Time-of-Use (TOCTOU) attack. By swapping a legitimate, Apple-signed application with a malicious one during verification, an attacker can trick the system into granting elevated permissions.
Additionally, because the check relies on code signatures like “anchor apple” (meaning signed by Apple), attackers can inject malicious code (e.g., a .dylib payload) into a genuine Apple binary.
For instance, a simple command-line instruction could inject code into a trusted system process without requiring root privileges.
Once trusted, the attacker can execute arbitrary AppleScripts to control the Finder or other apps, effectively bypassing TCC to steal data.
Apple has addressed this vulnerability in macOS 26.2. The patch introduces a stricter verification method.
Now, the system checks for a specific entitlement—com.apple.private.accessibility.scrod directly from the client’s audit token.
This ensures that only legitimate, authorized processes can access the service, rendering file-path-based spoofing and TOCTOU attacks ineffective.
| Feature | Details |
|---|---|
| CVE ID | CVE-2025-43530 |
| Vulnerability Type | TCC Bypass / Privilege Escalation |
| Affected Component | ScreenReader.framework (VoiceOver) |
| Impact | Unauthorized access to sensitive user data (Microphone, Documents) |
| Exploit Vector | Private API abuse via MIG service com.apple.scrod |
| Fixed Version | macOS 26.2 |
| Severity | High |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post New macOS TCC Bypass Vulnerability Allows Attackers to Access Sensitive User Data appeared first on Cyber Security News.
INDIANAPOLIS (WOWO) — The Indiana Criminal Justice Institute (ICJI) is teaming up with Indiana State…
FORT WAYNE, Ind. (WOWO) — Families of children with physical and mental disabilities often face…
The sequel to Stellar Blade will not be published by PlayStation, developer Shift Up has…
Michael Pennington — better known to Star Wars fans as Return of the Jedi's Moff…
50 Years Ago An early morning trash fire that may have been set by four…
Editor’s note: This is the second of two parts. “In happy moments one realizes that…
This website uses cookies.