A security flaw in macOS let standard user accounts disable or remove enterprise protection tools, according to a technical analysis from XM Cyber based on tests against CrowdStrike Falcon Sensor, Kandji, and another unnamed vendor. The issue used a weakness in macOS XPC communication and affected prominent endpoint security software.
KEY FACTS
- Attack path Researchers combined CDHash cache exploitation with NIB payload injection.
- CrowdStrike A standard user account could unload the Falcon Sensor and stop detection and network visibility.
- Kandji An unprivileged user could permanently deactivate the MDM agent through a two-phase XPC chain.
- Impact The technique abused legitimate macOS behavior and left little forensic trace.
Many Mac applications use XPC to let front-end software communicate with background services that may run with root access. In the cases tested, those services trusted messages that appeared to come from the parent app, which let the attacker impersonate a trusted component.
The report said the method used JavaScript for Automation to bypass standard scripting limits and manipulate low-level system memory. That allowed the fake program to call built-in functions that could unload, terminate, or remove security tools.
CrowdStrike patched the issue, paid a bounty, and added detection and prevention across supported macOS sensor versions. Kandji also patched its software and assigned the flaw CVE-2026-39118, while the third vendor is still working on a fix.
XM Cyber also plans to release an open-source framework called XPC Hunter to scan for similar issues, with publication slated for Black Hat US in August 2026.
WHY IT MATTERS
The flaw shows how weaknesses in macOS communication services can undermine endpoint security even without elevated privileges. That makes it relevant to organisations that rely on Mac-based detection and response tools to stay active during an attack.