Ddos 
Apple’s privacy fortress, the Transparency, Consent, and Control (TCC) framework, has been breached once again. Security researcher Mickey Jin (@patch1t) has disclosed a sophisticated new vulnerability, CVE-2025-43530, which leverages a flaw in the macOS accessibility tools to completely bypass user privacy protections.
The vulnerability resides deep within the ScreenReader.framework, a module designed to support the VoiceOver accessibility feature. By manipulating a private API within the system’s com.apple.scrod service, an attacker can trick the operating system into executing malicious commands without the user ever seeing a permission prompt.
The core of the issue lies in how the system decides who to trust. The vulnerable service, com.apple.scrod, attempts to verify if a requesting client is legitimate using a function called isClientTrustedWithPortToken. However, Jin’s analysis reveals that this gatekeeper is fundamentally broken.
“This verification logic contains at least two security issues,” the report notes.
The first failure is an over-reliance on code signing. The system automatically trusts any process signed by Apple itself. “If the XPC client is signed by Apple (csreq string: ‘anchor apple’), then it will be trusted”.
While this sounds logical, it ignores the reality that Apple-signed binaries can be manipulated. Jin points out that “it is easy to inject into an Apple-signed executable,” providing an example where a simple command line tool (ssh) can be forced to load a malicious payload while retaining its trusted Apple signature.
The second failure is a classic Time-of-Check Time-of-Use (TOCTOU) bug. The system verifies the client by checking its file path rather than its secure audit token, allowing an attacker to swap files during the verification window.
The consequences of this flaw are severe. By tricking the VoiceOver system, an attacker gains the ability to automate the entire machine via AppleScript, effectively becoming a “ghost user” with full control.
“As a result, an attacker can execute arbitrary AppleScript files and send AppleEvents to any target process (such as Finder), thereby completely bypassing the TCC protection mechanism,” the write-up explains.
This means an attacker could access sensitive data—like photos, contacts, or location—without the user granting permission. The exploit code has been published here.
Apple has released a fix for the vulnerability, noting that “This issue was addressed with improved checks”. Users are strongly advised to update their devices immediately.
The fix is included in the following releases:
- macOS Tahoe 26.2
- macOS Sonoma 14.8.3
- macOS Sequoia 15.7.3
- iOS/iPadOS 18.7.3.
Related Posts:
- CVSS 9.8 Flaw in macOS Allows Apps to Access Protected User Data, PoC Available
- 0-Day in Parallels Desktop Allows Root Privilege Escalation, PoC Released
- macOS Security Compromised: Novel Exploit Bypasses Sandbox Protections
- PoC Exploit Released for MacOS SUHelper Root Privilege Escalation (CVE-2022-22639)
Donate