APPLE'S macOS has a vulnerability that allows users with standard privileges to disable enterprise security tools, including EDRs and MDMs, without needing admin credentials. Researchers at XM Cyber discovered this issue involves the exploitation of how macOS validates application trust. The technique enables impersonation of trusted components to activate privileged functions.
CrowdStrike and Kandji were specifically targeted, with potential impacts on other applications using privileged Cross-Process Communication (XPC) services. XM Cyber developed an open-source tool, XPC Hunter, for identifying such vulnerabilities and plans to demonstrate it at Black Hat USA in August 2026. The underlying flaw relates to how macOS caches application authenticity credentials, allowing modifications without detection. Apple has not indicated intentions to fix this exploiting mechanism, placing the responsibility on affected vendors to implement mitigations.