Carlos Garrido

**Name of the Vulnerable Software and Affected Versions** Acronis True Image (macOS) versions prior to build 42389 Acronis True Image for SanDisk (macOS) versions prior to build 42198 Acronis True Image for Western Digital (macOS) versions prior to build 42197 **Description** An insecure XPC service configuration can lead to local privilege escalation. XPC (eXtension Programming Interface) is a macOS framework for inter-process communication. An insecure configuration of this service allows an attacker to gain elevated privileges on the system. **Recommendations** Update Acronis True Image (macOS) to build 42389 or later. Update Acronis True Image for SanDisk (macOS) to build 42198 or later. Update Acronis True Image for Western Digital (macOS) to build 42197 or later.

**Name of the Vulnerable Software and Affected Versions** Epson printer and scanner firmware Web Installer Epson printer driver installer **Description** The Epson Web Installer for printer and scanner firmware and the `com.epson.InstallNavi.helper` tool, included with the Epson printer driver installer, have a security issue. The vulnerability stems from a lack of authentication for a critical function and flaws in the implementation of the `com.epson.InstallNavi.helper` tool. Specifically, the tool does not properly authenticate clients over the XPC protocol and incorrectly enforces macOS’s authorization model. It uses overly permissive custom rights registered in the system’s authorization database (`/var/db/auth.db`). These rights can be requested and granted by the authorization daemon to any local user, regardless of privilege level. This allows an attacker to perform privileged operations, such as executing arbitrary commands or installing system components, without administrative credentials. **Recommendations** Apply updates to the Epson printer and scanner firmware Web Installer. Update the Epson printer driver installer.

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat (affected versions not specified) **Description** The issue allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements, such as microphone, camera, automation, and network client. The application is vulnerable to DYLIB injection attacks due to not being signed with the Hardened Runtime nor set to enforce Library Validation, which can lead to unauthorized actions or escalation of permissions. As a result, an attacker gains capabilities that are not permitted by default under the Sandbox and its application profile. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ws.stash.app.mac.daemon.helper (affected versions not specified) **Description** The issue is caused by an incorrect use of macOS’s authorization model in the ws.stash.app.mac.daemon.helper tool. Instead of validating the client's authorization reference, the helper invokes AuthorizationCopyRights() using its own privileged context, effectively authorizing itself rather than the client. This allows unprivileged clients to invoke privileged operations via XPC, including unauthorized changes to system-wide network preferences such as SOCKS, HTTP, and HTTPS proxy settings. The absence of proper code-signing checks enables arbitrary processes to exploit this flaw, leading to man-in-the-middle (MITM) attacks through traffic redirection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Archify (affected versions not specified) **Description** The issue is related to insufficient client validation in the privileged helper tool, com.oct4pie.archifyhelper, which is exposed via XPC. This tool is responsible for privileged operations such as arbitrary file deletion and file permission changes. However, it does not verify the code signature, entitlements, or signing flags of the connecting client, allowing any local process to establish a connection and invoke privileged functionality. This leads to unauthorized execution of actions with root-level privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** K7 Security Anti-Malware (affected versions not specified) **Description** A flaw in the `K7RKScan.sys` driver allows a local low-privilege user to send crafted IOCTL (Input/Output Control) requests to terminate various processes running with administrative or system-level privileges, excluding those inherently protected by the operating system. This issue is caused by missing access control in the driver's IOCTL handler, which enables unprivileged users to perform privileged actions within the kernel space. Successful exploitation can result in a denial of service by disrupting privileged applications or critical services. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sensei Mac Cleaner (affected versions not specified) **Description** The issue allows an attacker to perform multiple operations as the root user, including arbitrary file deletion and writing, loading and unloading daemons, manipulating file permissions, and loading extensions. The vulnerable module org.cindori.SenseiHelper can be contacted via XPC and is susceptible to a PID Reuse Attack, enabling an attacker to impersonate a legitimate client and send crafted XPC messages to invoke arbitrary methods exposed by the HelperProtocol interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: com.uaudio.bsd.helper service (affected versions not specified) Description: The issue concerns a lack of proper client validation during XPC inter-process communication (IPC) in the com.uaudio.bsd.helper service, which handles privileged operations. This service fails to verify the code requirements, entitlements, or security flags of any client attempting to establish a connection. As a result, unauthorized clients can exploit the service's methods and escalate privileges to root. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nimble Commander (affected versions not specified) **Description** The issue arises from the server's improper validation of a client's authorization, specifically in the info.filesmanager.Files.PrivilegedIOHelperV2 component. This allows for the execution of system-level commands as the root user, including changing permissions and ownership, obtaining a handle of an arbitrary file, and terminating processes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.