macOS Flaw Allowed Standard Users to Disable CrowdStrike and Kandji Security Tools

Summary

XM Cyber discovered a macOS vulnerability in the XPC inter-process communication architecture that allowed unprivileged users to disable enterprise security tools including CrowdStrike Falcon Sensor and Kandji MDM Agent. The flaw exploited CDHash cache and NIB injection techniques to hijack trusted applications and manipulate endpoint detection and response (EDR) capabilities. Both vendors patched the vulnerability after responsible disclosure, with XM Cyber releasing an open-source detection tool called XPC Hunter.

Full text

SecuritymacOS Flaw Allowed Standard Users to Disable CrowdStrike and Kandji Security Tools A macOS XPC flaw let regular users disable CrowdStrike and Kandji tools, exposing security gaps that vendors patched after XM Cyber reported the security issue. byDeeba AhmedJune 26, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Cybersecurity defence firm XM Cyber has found a security flaw in the Apple macOS operating system. The issue centres on a vulnerability within the core communication architecture used by top enterprise protective software. It is basically a structural gap that allows ordinary system accounts to fully bypass normal security boundaries. Chaining NIB Injections and XPC Services Many Mac applications use a background communication system called XPC to allow different parts of the software to communicate with each other. For example, a visible app window might need to send commands to a hidden background service that runs with deep system root access. According to XM Cyber researchers, these background services usually trust any message that looks like it comes from their own app by checking a code signature known as a CDHash. However, XM Cyber discovered that hackers can trick this setup by combining a method called CDHash cache exploitation with a NIB payload injection. This allows an unprivileged threat actor to hijack a trusted app. They can launch a real security program to make the Mac system trust it, then manipulate the application bundle structure to inject a malicious interface file. Once inside, the code uses a tool called JavaScript for Automation (JXA) to bypass standard scripting limits and control low-level system memory. This lets the fake program masquerade as a highly trusted component. The background service blindly accepts the fake instructions, allowing the hacker to call built-in functions like runProcessWithCommand and terminateAppsAndAgents. The targeted security products, resultantly, end up disabling, unloading, or removing themselves. Leading Security Tools Affected XM Cyber successfully used this technique against prominent endpoint tools on macOS platform. On the CrowdStrike Falcon Sensor, a standard user account (UID 502) achieved full sensor unloading via an unprotected XPC interface, terminating detection, process monitoring, and network visibility. Researchers also targeted the Kandji MDM Agent. An unprivileged user could achieve permanent agent deactivation via a two-phase XPC chain on io.kandji.kandji-daemon by impersonating the Kandji Menu app. This clears the EDR guard pointer and permanently terminates the Endpoint Security Framework (ESF) extension, removing all telemetry. A third, unnamed enterprise EDR vendor was also successfully targeted. Because the technique abuses legitimate OS behaviour, it doesn’t trigger standard security alerts and leaves almost no forensic trace. “Organisations must treat this as a major gap in modern endpoint security models, particularly concerning insider threat vectors and post-compromise scenarios,” XM Cyber researchers noted in the report shared with Hackread.com. Patches and Tools Released The issue was quickly addressed after the companies were notified. CrowdStrike patched it immediately, paid a bounty reward, and added detection and prevention across all supported macOS sensor versions. Kandji also patched its software and officially logged the flaw as CVE-2026-39118. The unnamed third company is currently working on a patch. To help fix this issue across the entire Mac network, XM Cyber has built an open-source automated framework called XPC Hunter to scan for and identify these vulnerable spots, and will release this tool at the Black Hat US security conference in August 2026. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AppleCrowdStrikeCybersecurityKandjimacOSVulnerabilityXM Cyber Leave a Reply Cancel reply View Comments (0) Related Posts Security Leaks India’s COVID-19 surveillance tool exposed millions of user data The COVID-19 surveillance tool built by the Uttar Pradesh state government has put data of approx. 8 million Indian citizens at risk. byWaqas Security Microsoft Technology Siemens medical scanner on Windows 7 vulnerable; patch coming soon German Firm Siemens will Update PET Scanner Software as DHS Issues Security Threat to Machines. Cyber-attacks on medical… byUzair Amir Hacking News Security Watch Stranger Saying ‘Hola Senorita’ After Hacking Woman’ Security Cam Internet of Things (IoT) devices or call them the Internet of Shit devices. Rilana Hamer from Netherland bought a… byCarolina Read More Security Cyber Crime Phishing Scam New AI-Powered Bluekit Phishing Kit Targets Major Platforms with MFA Bypass Attacks Bluekit Phishing Kit is a new PhaaS tool that targets major platforms, using AiTM techniques to steal session data and bypass MFA protections. byDeeba Ahmed

Indicators of Compromise

• cve — CVE-2026-39118

Entities