Microsoft Uncovers “Sploitlight”: macOS Flaw (CVE-2025-31199) Bypasses TCC, Leaking Apple Intelligence Data

Microsoft Threat Intelligence has unveiled a critical macOS vulnerability that exploits Spotlight plugins to bypass the system’s Transparency, Consent, and Control (TCC) protections. Dubbed “Sploitlight,” the vulnerability (CVE-2025-31199) allows threat actors to extract private user data from protected directories—posing significant threats to both individual privacy and enterprise security.

According to Microsoft’s analysis, the exploit takes advantage of how macOS’s Spotlight indexing system uses .mdimporter plugins to process and catalog files. These plugins are intended to have privileged access only to specific files for indexing. However, “we have concluded that this is insufficient,” the researchers stated, “as there are multiple ways for attackers to exfiltrate the file’s contents.”

Despite Apple’s sandboxing restrictions, attackers can manipulate the .mdimporter plugin’s Info.plist to gain access to sensitive file types and log their contents. “An attacker doesn’t even need to recompile to adjust to other file types—they could just modify Info.plist and schema.xml as they see fit.”

The risk extends beyond traditional file leaks. Sploitlight enables exfiltration of private data cached by Apple Intelligence, Apple’s built-in AI system on ARM-based Macs. Files in TCC-protected directories—like Pictures and Downloads—contain metadata that includes:

• Precise geolocation data from photos and videos
• Photo and video metadata such as timestamps and device information
• Face and person recognition clusters
• Deleted content metadata, event clustering, and even search history

According to the report, “an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account.”

Microsoft developed a proof-of-concept exploit named “Sploitlight”, which successfully automated the data-leak process by using the mdimport and log utilities. “Despite Spotlight plugins being carefully and heavily restricted, they can still be abused to exfiltrate file contents,” the report notes.

Upon discovery, Microsoft responsibly disclosed the flaw through its Coordinated Vulnerability Disclosure (CVD) process. Apple patched the vulnerability on March 31, 2025, in its macOS Sequoia update.

Related Posts:

• Cybercriminals Turn Discord into Malware Playground with Lumma Stealer
• macOS Vulnerability CVE-2024-54527 Unveiled: TCC Bypass PoC Exploit Code Released
• Researcher Details CVE-2024-44131 – A Critical TCC Bypass in macOS and iOS
• Malicious Go Package Exploits Caching for Stealthy Persistence
• HM Surf (CVE-2024-44133): macOS Flaw Exposing Cameras and Microphones to Hackers, PoC Published

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy