Cybersecurity researchers have identified a new macOS security technique that could weaken enterprise security software. The findings come from security company XM Cyber, which plans to present its research at the Black Hat Arsenal conference in August.
The reported method does not allow remote attacks. Instead, an attacker must first gain access to a standard user account on a Mac. However, researchers say the technique could still pose serious risks inside corporate environments.
How the Technique Works
The research focuses on Apple’s XPC framework. Developers use XPC so apps can communicate with background services that perform privileged tasks.
According to XM Cyber, some applications rely too heavily on trusted code signatures. Researchers claim attackers can exploit this trust after a legitimate app launches. The system may continue trusting the application even after malicious changes occur.
As a result, attackers could trigger privileged XPC functions without administrator credentials. XM Cyber demonstrated the technique against CrowdStrike Falcon and Kandji on macOS. The company reported that neither test required a kernel exploit or a bypass of System Integrity Protection.
Vendors Respond to the Findings
Kandji has already addressed the reported vulnerability and assigned it CVE-2026-39118. Meanwhile, Apple has not released a security advisory related to the research.
Researchers believe the issue extends beyond two products. Therefore, developers may need stronger methods to verify privileged requests instead of depending mainly on code-signing trust.
What Mac Users Should Do
The reported attack requires access to an existing user account. Therefore, strong passwords and multi-factor authentication remain important first defenses.
Users should also install macOS updates and security software as soon as they become available. In addition, organizations should review guidance from security vendors and apply recommended patches quickly.
XM Cyber plans to release its open-source XPC Hunter tool during Black Hat Arsenal on August 5. The presentation could help developers better understand the weakness and strengthen future macOS security protections. Until then, experts recommend limiting user privileges and keeping all security tools fully updated.
