Security firm XM Cyber ​​has discovered a macOS technique that allows standard user accounts to disable some corporate security tools without needing administrator rights. The researchers shared their findings ahead of the Black Line Arsenal presentation in August and are preparing to introduce an open source tool they call XPC Hunter.

XM Cyber ​​reported that it carried out successful attacks against security solutions such as CrowdStrike Falcon and Kandji on macOS. The technique in question is not a remote attack method; Attackers must first gain access to a standard user account on the target Mac.

Although the need to access an existing account limits the scope of the raid, this does not diminish the importance of the investigation. Attackers who gain access to a Mac device often try to disable monitoring tools before they penetrate deeper into the system.

Reliable macOS connection channels are on target

XM Cyber ​​removed the CrowdStrike Falcon security sensor by exploiting a privileged XPC system from a standard user account. Additionally, researchers disabled Kandji’s removal enclosures and turned off endpoint containment features via privileged XPC invitation chains.

None of these demonstrations required a kernel exploit or System Integrity Defense bypass. Kandji has fixed the reported vulnerability and assigned it CVE-2026-39118 in the public database of known computer vulnerabilities.

XPC is an Apple framework used to communicate between applications and background services. Developers leverage XPC to request administrative actions while keeping privileged functions isolated from user-facing software.

XM Cyber ​​arguments that some developers rely too heavily on code signing when deciding which software can invoke sensitive XPC paths. Researchers state that this technique targets how applications authenticate requests sent to privileged services.

The attack begins when macOS caches the trust fingerprint when a user launches a legitimate, signed application. Researchers argue that an attacker can maintain this trust while replacing parts of the application package with a malicious payload.

The cached link can allow a standard user account to invoke privileged XPC techniques normally reserved for robust software components. XM Cyber ​​arguments that the problem arises from the way some applications establish trust rather than directly bypassing macOS security protections.

Security measures for enterprise Mac deployments

CrowdStrike Falcon, Kandji, and others help organizations monitor devices, enforce security policies, and respond to threats. These findings come at a time when Mac devices are increasingly preferred in corporate environments.

Security software and administration spies are systems that often stand between a compromised user account and access to company information. The lack of manager credentials is one of the key elements that makes this research remarkable.

Kandji’s CVE designation adds additional burden to the investigation, as at least one vendor has admitted and fixed an apparent vulnerability identified by this technique. While vendors continue to investigate broader findings, Apple has not yet released its own security advisory document on the bet.

XM Cyber ​​​​plans to release the XPC Hunter vehicle at the Black Line Arsenal event in Las Vegas on August 5. Here, the researchers will demonstrate the tool and discuss the macOS XPC attack technique in more detail.

XM Cyber’s research requires attackers to gain access to an existing user account to use this technique. Strong passwords and multi-factor authentication can reduce the chances of an attacker taking the first step.

Mac users should keep their security software, device management tools, and macOS itself up to date while vendors investigate findings and release fixes. Organizations managing large Mac deployments should review vendor guides for additional mitigations and security updates.

What do you think about this vulnerability?