Security researchers have disclosed a new macOS flaw that lets attackers shut down your security software after getting onto your machine — no admin password, no kernel exploit, and almost no trace left behind.
The attack takes advantage of how macOS apps earn each other’s trust, and if you use a Mac at work, it is exactly the type of thing your IT needs to know about.
macOS security flaw shows Macs aren’t 100% safe from hackers
Mac users have long enjoyed a reputation for being safer from malware and cyberattacks than their Windows counterparts, thanks in part to Apple’s tighter control over hardware and software. But security experts warn that no operating system is immune. As Macs have grown more popular in homes and workplaces, they’ve become increasingly attractive targets for hackers, who now routinely search for flaws in macOS and third-party applications.
This new exploit abuses macOS’s built-in app trust mechanisms to disable enterprise security tools from within.
How does this macOS security flaw actually work?
The flaw was discovered by security firm XM Cyber. The company plans to give a full public demo at the Black Hat Arsenal, which will be held in Las Vegas this August. They are also planning to release a free tool called XPC Hunter that scans Macs for the same weakness.
The exploit lives in XPC — Apple’s framework that enables apps to communicate with background services requiring elevated permissions. Normally, macOS checks the cryptographic signature of an app to see if it’s legitimate. Once it passes, the system caches the result instead of re-checking to speed up things.
The caching is a problem. Researchers say an attacker can simply launch a signed app to gain macOS’s trust and insert malicious code. From here, the attacker can use privileged functionality reserved for the security software, which includes commands built to turn it off for maintenance.
Instead of using kernel exploits or bypassing System Integrity Protection, the flaw turns Apple’s very own trust system against itself.
Which security tools are hit?
XM Cyber successfully tested the technique against CrowdStrike Falcon and Kandji. For context, these two security and device management platforms are widely used on company-owned Macs.
CrowdStrike has reportedly added detections and also paid out a bug bounty. Kandji has shipped a fix and even earned an entry in the public vulnerability database (CVE-2026-39118).
Apple hasn’t said much
At the time of writing, Apple hasn’t issued a security advisory nor has it independently confirmed the findings. For a platform used by enterprises, silence does not look great.
Developers already have a fix: Apple’s own API lets them verify who’s calling them instead of relying on a cached signature.
How do I protect my Mac?
Unfortunately, there’s no way to patch this exploit yourself, but you can reduce the risk. Use a strong, unique password and enable two-factor authentication wherever you can. Also, make sure to update macOS and company security software, since fixes are currently being rolled out vendor by vendor.
If you happen to manage Macs for a living, it’s time to push security vendors for a timeline before XPC Hunter goes public at Black Hat.
Anurag Chawake is a tech-focused writer specializing in smartphones, apps and consumer technology. His interest in computers began during the Windows 98 era, eventually leading him to explore everything from operating systems to mobile devices and PC hardware. Anurag previously contributed to The Indian Express, covering Apple, Android, gaming and the broader technology landscape.
