XM Cyber researchers uncovered a macOS vulnerability allowing standard user accounts to disable enterprise security tools like CrowdStrike Falcon and Kandji. The flaw exploits trusted communication channels in Apple's XPC framework, enabling attackers to manipulate privileged requests without administrator credentials. This was demonstrated via an open-source tool called XPC Hunter, which successfully unloaded security sensors and deactivated endpoint protections. While the attack requires prior account access, it undermines assumptions about standard user limitations in Mac deployments.

The vulnerability stems from how applications establish trust with XPC services. Attackers can leverage cached trust relationships from legitimate signed apps to execute privileged actions. Kandji patched its specific vulnerability (CVE-2026-39118), but XM Cyber argues the issue reflects broader weaknesses in how developers verify privileged service calls. The research highlights risks for enterprises relying on Mac security tools, as attackers could bypass monitoring solutions before escalating network access. Apple has not issued an advisory, leaving vendors to address the flaw.

The discovery matters because Macs are increasingly common in corporate environments. Security tools like Falcon and Kandji act as critical barriers against threats. The flaw shows that even non-admin accounts can compromise these defenses, challenging traditional security models. XM Cyber will demonstrate XPC Hunter at Black Hat Arsenal in August, offering insights into mitigations. Users should update software, enforce strong passwords, and limit privileges. For organizations, this underscores the need for stricter verification of application-to-service communications rather than relying solely on code-signing trust.