Which versions of Endurance are affected by CVE-2025-10906?

Magnetism Studios Endurance macOS app (versions ≤3.3.0) contains an unauthenticated local privilege escalation vulnerability in its helper service that allows any user on an affected Mac to gain…

Is there a public PoC exploit available for CVE-2025-10906?

Yes, a public proof-of-concept exploit is available for CVE-2025-10906. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-10906?

Within 24 hours: Inventory all macOS systems running Endurance app and document current installed versions. Within 7 days: Contact Magnetism Studios support to confirm patch availability timeline and interim guidance; disable or uninstall Endurance on high-risk systems if business function permits. Within 30 days: Apply vendor-released patch immediately upon availability (monitor for versions >3.3.0); if patch remains unavailable, evaluate replacement fitness/wellness applications or implement additional endpoint monitoring for suspicious privilege escalation activity.

Endurance CVE-2025-10906

Q: What is the CVSS score of CVE-2025-10906?

CVE-2025-10906 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

HIGH

Improper Authentication (CWE-287)

2025-09-24 cna@vuldb.com

Authentication Bypass Apple

7.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.3 HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 29, 2026 - 01:13 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 29, 2026 - 01:11 vuln.today

cvss_changed

CVSS changed

Apr 29, 2026 - 01:11 NVD

8.6 (HIGH) 7.3 (HIGH)

Analysis Generated

Mar 28, 2026 - 19:13 vuln.today

PoC Detected

Sep 24, 2025 - 18:11 vuln.today

Public exploit code

CVE Published

Sep 24, 2025 - 13:15 nvd

HIGH 8.6

DescriptionCVE.org

A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. This affects the function loadModuleNamed:WithReply of the file /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper of the component NSXPC Interface. Executing manipulation can lead to missing authentication. The attack needs to be launched locally. The exploit has been published and may be used.

AnalysisAI

Missing authentication in Magnetism Studios Endurance macOS app (versions up to 3.3.0) allows local unprivileged attackers to execute code with elevated privileges via the com.MagnetismStudios.endurance.helper NSXPC service. The loadModuleNamed:WithReply function in the LaunchServices helper lacks proper authentication checks, enabling local privilege escalation. Publicly available exploit code exists (GitHub POC published), but EPSS probability remains low at 0.03% (7th percentile), indicating limited real-world exploitation to date. Not listed in CISA KEV, suggesting targeted proof-of-concept activity rather than widespread attacks.

Technical ContextAI

This vulnerability exploits macOS's inter-process communication mechanism NSXPC (XPC Services), which allows processes to communicate across privilege boundaries. The Endurance.app helper service (com.MagnetismStudios.endurance.helper) exposes the loadModuleNamed:WithReply function through an NSXPC interface without implementing proper caller authentication or authorization checks. CWE-287 (Improper Authentication) represents a fundamental security control failure where the privileged helper service trusts incoming requests without verifying the caller's identity or entitlements. This architectural flaw is common in macOS apps that implement privileged helper tools but fail to validate XPC connection credentials using secure coding practices like shouldAcceptNewConnection delegate methods with proper entitlement verification. The helper runs with elevated privileges in LaunchServices, making it a prime target for local privilege escalation attacks.

Affected ProductsAI

Magnetism Studios Endurance versions up to and including 3.3.0 on macOS platforms are confirmed vulnerable. The flaw resides in the application bundle at /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper, specifically affecting the NSXPC interface implementation. No CPE identifier was provided in NVD data. The vulnerability is macOS-specific and does not affect other operating systems. Users can verify their installation by checking the application version in the About menu or examining the Info.plist file within the application bundle.

RemediationAI

No vendor-released patch or updated version has been identified at the time of analysis. The VulDB references (vuldb.com/?id.325691, vuldb.com/?ctiid.325691) do not link to an official Magnetism Studios security advisory or patched release. Users should monitor the Magnetism Studios website and Mac App Store for updates beyond version 3.3.0 that address CVE-2025-10906. As compensating controls until a patch is available: (1) Uninstall Endurance from macOS systems where it is not mission-critical, especially multi-user or shared workstations where local attackers may have physical or remote access. (2) Restrict local user access to macOS systems running Endurance by enforcing standard (non-admin) user accounts, though this provides limited protection since PR:N indicates no privileges are required for exploitation. (3) Deploy endpoint detection and response (EDR) tools configured to monitor unusual XPC service invocations targeting com.MagnetismStudios.endurance.helper, though this detection approach may generate false positives from legitimate app behavior. (4) Implement application allowlisting to prevent execution of unauthorized code that could chain with this vulnerability for post-exploitation activity. Note that disabling the helper service via launchctl may break core Endurance functionality, making this mitigation impractical for active users.

CVE-2025-10906 vulnerability details – vuln.today

Back