Executive Summary
A critical vulnerability in Apple macOS (CVE-2026-39118) enables standard users to disable or permanently deactivate enterprise security tools, including EDR and MDM agents, without requiring administrator credentials or kernel-level exploits. Discovered by XM Cyber and publicly disclosed in June 2026, this attack chain leverages legitimate macOS behaviors—specifically weak XPC validation, malicious payload injection into NIB files, and abuse of the kernel code-signing trust cache. The vulnerability has been confirmed in the Kandji MDM agent and demonstrated against CrowdStrike Falcon Sensor and another unnamed EDR vendor. The underlying macOS design flaw remains unaddressed by Apple, placing the onus on security vendors and organizations to implement mitigations. This report provides a comprehensive technical analysis, exploitation context, and actionable recommendations for enterprise defenders.
Technical Information
The vulnerability, tracked as CVE-2026-39118, is a privilege escalation and endpoint security bypass affecting the Kandji MDM agent and potentially other security agents on macOS. The attack chain consists of three primary components: weak XPC validation, malicious NIB injection, and trust cache abuse.
Weak XPC validation allows attackers to exploit inter-process communication channels between user and privileged components. By crafting malicious XPC messages, a non-privileged user can interact with security agent daemons that lack robust client validation, enabling unauthorized actions.
Malicious NIB injection involves placing a payload within Interface Builder NIB files, which are loaded by macOS applications. When a legitimate application loads a compromised NIB, the attacker’s code executes in the context of the target process, facilitating further privilege escalation or agent manipulation.
Trust cache abuse leverages the macOS kernel’s code-signing trust cache. Once a legitimately signed application is executed, its CDHash is cached and trusted for subsequent executions. Attackers can replace or modify the application binary with a malicious version that retains the original CDHash, bypassing code-signing enforcement and allowing persistent tampering with security agents.
The impact is severe: a standard user can silently unload or permanently deactivate EDR/MDM agents, evading detection and response mechanisms. This undermines the security posture of enterprise macOS deployments, as attackers can disable endpoint defenses without triggering alerts or requiring elevated privileges.
Exploitation in the Wild
The vulnerability has been demonstrated against the CrowdStrike Falcon Sensor, Kandji MDM agent, and a third unnamed enterprise EDR vendor. Kandji responded by releasing an updated agent and assigning CVE-2026-39118. CrowdStrike acknowledged the issue, paid a bug bounty, and implemented additional detections, with further mitigations in progress. Apple has stated that it does not plan to remediate the underlying macOS design issue, leaving mitigation to third-party vendors.
There is no evidence of widespread exploitation in the wild as of this report. However, XM Cyber has announced plans to release an open-source tool, "XPC Hunter," and will present full technical details at Black Hat USA 2026. The public release of detection and exploitation tools may increase the risk of real-world attacks.
CISA does not currently list CVE-2026-39118 in its Known Exploited Vulnerabilities (KEV) catalog, and there is no CISA-confirmed active exploitation at this time.
APT Groups using this vulnerability
While no advanced persistent threat (APT) groups have been publicly confirmed exploiting this specific vulnerability, the ShinyHunters group has been linked to research and interest in macOS security bypasses. The broader threat landscape indicates a surge in Apple-focused malware development, with infostealers and distribution-as-a-service models increasingly targeting macOS users. Techniques such as obtaining valid Apple developer signatures and social engineering to bypass Apple’s Transparency, Consent, and Control (TCC) privacy framework are prevalent. Organizations should remain vigilant for evolving TTPs that may incorporate this vulnerability into future campaigns.
Affected Product Versions
The primary affected product is the Kandji MDM agent, specifically all versions prior to 4.7.5(5374). The vulnerability is agent-specific rather than OS-version-specific, but any supported macOS version running a vulnerable agent is at risk. Confirmed affected macOS releases include macOS Tahoe (26.x), macOS Sonoma (14.x), macOS Sequoia (15.x), and any other version supported by the vulnerable agent.
CrowdStrike Falcon Sensor and an unnamed EDR vendor are also affected, though specific version numbers have not been disclosed publicly as of this report. The risk extends to any enterprise environment deploying EDR/MDM solutions that rely on similar inter-process communication and code-signing trust mechanisms.
Workaround and Mitigation
Organizations should immediately update the Kandji MDM agent to version 4.7.5(5374) or later. Monitor for updates and advisories from CrowdStrike and other EDR vendors, as additional mitigations may be released. Implement monitoring for unexpected changes to security agent status, such as agent unloading or deactivation events.
Vendors should harden XPC client validation, ensuring that only authorized processes can communicate with privileged components. Regularly audit NIB files within application bundles for unauthorized modifications, and monitor for suspicious inter-process communications originating from non-privileged users.
Given that Apple does not plan to address the underlying design issue, ongoing vigilance and layered defense strategies are essential. Organizations should also monitor for the release of "XPC Hunter" and incorporate its detection capabilities into their security operations.
Indicators of Compromise
The following caveat applies: Indicators of compromise are point-in-time and should be validated before enforcement. The IOCs below are extracted from public sources related to macOS malware campaigns and social engineering attacks, not specifically from CVE-2026-39118 exploitation, but are relevant for broader macOS threat monitoring.
Type | Indicator | Reported (date) | Source
|
Domain | docx[.]scpt | 2026-06-24 | mallory.ai |
Domain | mallory[.]ai | 2026-06-24 | mallory.ai |
Domain | mcas[.]ms | 2026-06-24 | mallory.ai |
Domain | scworld[.]com | 2026-06-24 | scworld.com |
No specific file hashes or network indicators have been published for CVE-2026-39118 as of this report. Detection opportunities include monitoring for unexpected unloading or deactivation of EDR/MDM agents, suspicious XPC activity from non-privileged users, and unauthorized modifications to NIB files in application bundles.
References
SentinelOne Vulnerability Database: CVE-2026-39118 Mallory.ai Technical Analysis SecurityWeek Coverage SC Media Brief Dark Reading News XM Cyber Twitter Announcement CVE-2026-39118 NVD Entry (pending full publication)
Rescana is here for you
Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform, providing continuous monitoring, automated assessments, and actionable intelligence to strengthen your cyber resilience. We are happy to answer questions at info@rescana.com.
