Apple's MacOS Security Gap Lets Users Disable Security Tools

Attackers can exploit the issue to disable security and integrated browser tools without needing administrator privileges or kernel exploits.

June 24, 2026

Researchers have uncovered a novel macOS privilege-escalation technique that allows a user with standard privileges to disable enterprise security tools and invoke privileged functions without administrator credentials.

The technique exploits how macOS establishes and validates application trust information. It enables an attacker to impersonate trusted application components and silently perform actions that should only be available to privileged processes.

Researchers at XM Cyber who developed the technique showed how an attacker could use it to disable CrowdStrike Falcon Endpoint Detection and Response (EDR) and Kandji Mobile Device Management (MDM) without needing any administrator credentials or kernel exploits and without triggering any alert.