Which versions of batteryKid are affected by CVE-2025-9815?

CVE-2025-9815 affects batteryKid, a macOS utility, and allows local users to escalate privileges to root through a missing authentication flaw in the NSXPCListener implementation.

Is there a public PoC exploit available for CVE-2025-9815?

Yes, a public proof-of-concept exploit is available for CVE-2025-9815. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-9815?

Within 24 hours: Inventory all macOS systems with batteryKid installed and document version numbers; notify affected users of the vulnerability. Within 7 days: Contact batteryKid maintainers to determine patch timeline; evaluate whether batteryKid is critical to operations or can be uninstalled. Within 30 days: Apply vendor patch upon release, or remove batteryKid if no patch timeline is established and the utility is not essential.

batteryKid CVE-2025-9815

Q: What is the CVSS score of CVE-2025-9815?

CVE-2025-9815 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

Improper Authentication (CWE-287)

2025-09-02 cna@vuldb.com

Authentication Bypass Apple

7.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 29, 2026 - 01:16 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 29, 2026 - 01:11 vuln.today

cvss_changed

CVSS changed

Apr 29, 2026 - 01:11 NVD

8.5 (HIGH) 7.1 (HIGH)

Analysis Generated

Mar 28, 2026 - 19:10 vuln.today

PoC Detected

Sep 04, 2025 - 16:13 vuln.today

Public exploit code

CVE Published

Sep 02, 2025 - 05:15 nvd

HIGH 8.5

DescriptionCVE.org

A weakness has been identified in alaneuler batteryKid up to 2.1 on macOS. The affected element is an unknown function of the file PrivilegeHelper/PrivilegeHelper.swift of the component NSXPCListener. This manipulation causes missing authentication. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be exploited.

AnalysisAI

Missing authentication in the NSXPCListener implementation of batteryKid for macOS allows local authenticated attackers to achieve high-impact privilege escalation. An unprivileged local user can exploit the PrivilegeHelper.swift component to bypass authentication controls and execute privileged operations, potentially gaining root-level access. Publicly available exploit code exists on GitHub (SwayZGl1tZyyy/n-days), lowering the skill barrier for exploitation. EPSS score is 5% (17th percentile), indicating relatively low widespread exploitation probability despite POC availability, likely due to the local attack vector and limited user base of this open-source macOS utility.

Technical ContextAI

This vulnerability affects batteryKid versions up to 2.1, a macOS utility for battery management. The flaw resides in PrivilegeHelper/PrivilegeHelper.swift, which implements an NSXPCListener for inter-process communication between privileged and unprivileged processes. NSXPCListener is Apple's framework for secure IPC through Mach messages, commonly used for privilege separation where a helper tool runs with elevated rights while the main application runs with user privileges. CWE-287 (Improper Authentication) indicates the NSXPCListener implementation fails to properly validate the caller's identity before executing privileged operations. This is a classic XPC service authentication bypass where the helper does not verify that incoming XPC connections originate from the legitimate application or authorized processes. Without proper authentication checks (such as code signing validation, entitlement verification, or token-based authentication), any local process can connect to the privileged helper and invoke sensitive functions intended only for the main application.

RemediationAI

No vendor-released patch has been identified at the time of analysis. The batteryKid project repository (github.com/alaneuler/batteryKid) should be monitored for security updates addressing CVE-2025-9815. Until a patch is released, organizations should uninstall batteryKid from affected macOS systems, particularly from multi-user environments or systems handling sensitive data. If batteryKid functionality is business-critical, implement compensating controls: restrict local user accounts to only trusted personnel, enable macOS System Integrity Protection (SIP) to limit privileged helper abuse (note: SIP may not fully prevent XPC authentication bypass but adds defense layers), monitor process execution and XPC connections for anomalous privileged helper invocations using Endpoint Detection and Response (EDR) tools, and consider application sandboxing policies to limit what unprivileged processes can connect to privileged XPC services. These mitigations reduce but do not eliminate risk, as an authenticated local user can still potentially exploit the vulnerability. Removing batteryKid remains the most effective control until upstream fix is available.

CVE-2025-9815 vulnerability details – vuln.today

Back