CYBERSECURITY firm XM Cyber has unveiled a technique that allows standard macOS user accounts to silently disable endpoint security tools such as EDR and MDM agents without triggering alerts. This exploitation leverages known weaknesses in XPC connections and the kernel’s code-signing trust cache. Demonstrated successfully against CrowdStrike Falcon and Kandji MDM, the method cleared security safeguards without requiring kernel exploits.
In response, CrowdStrike implemented detection measures and Kandji patched the issue, assigning CVE-2026-39118 to the vulnerability. XM Cyber plans to release an open-source tool, XPC Hunter, to automate the detection of similar vulnerabilities, with a presentation scheduled for Black Hat US in August 2026.