Skip to main content

Cato Client CVE-2026-12374

| EUVDEUVD-2026-41001 MEDIUM
Improper Certificate Validation (CWE-295)
2026-07-01 Cato GHSA-fmmf-42mh-hr4x
6.4
CVSS 4.0 · Vendor: Cato
Share

Severity by source

Vendor (Cato) PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber
vuln.today AI
7.8 HIGH

TOCTOU race requires timing precision warranting AC:H; local low-privileged access (AV:L/PR:L); root escalation from a non-root process constitutes a scope change (S:C) with full CIA impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Cato).

CVSS VectorVendor: Cato

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 01, 2026 - 16:01 EUVD
Analysis Generated
Jul 01, 2026 - 14:59 vuln.today
CVE Published
Jul 01, 2026 - 14:07 cve.org
MEDIUM 6.4

DescriptionCVE.org

Improper certificate validation and a time-of-check time-of-use (TOCTOU) race condition in the PrivilegedHelperTool XPC service in Cato Client before v.5.13.1 on macOS allows a local authenticated attacker to escalate privileges to root via a self-signed certificate that bypasses the XPC caller verification and a symlink swap during package installation.

AnalysisAI

Local privilege escalation in Cato Client on macOS allows an authenticated low-privileged user to gain root by chaining two flaws in the PrivilegedHelperTool XPC service: improper certificate validation (CWE-295) that accepts self-signed certificates to bypass XPC caller verification, and a TOCTOU race condition exploitable via symlink swap during package installation. All Cato Client (SDP Client) versions prior to 5.13.1 on macOS are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged local shell on macOS
Delivery
Craft self-signed certificate for XPC bypass
Exploit
Present certificate to PrivilegedHelperTool XPC service
Install
Trigger Cato Client package installation
C2
Win TOCTOU race via symlink swap in install path
Execute
PrivilegedHelperTool operates on attacker-controlled target
Impact
Execute payload as root

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on a macOS host running Cato Client prior to v5.13.1, with at minimum a standard (low-privileged, non-root) user account - corresponding to CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H) reflects local access with low complexity once conditions are aligned, though AT:P acknowledges that a specific attack requirement - timing the TOCTOU race during a package installation window - must be satisfied. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user on a corporate macOS laptop running Cato Client 5.12.x crafts a self-signed certificate and uses it to authenticate to the PrivilegedHelperTool XPC service, bypassing caller verification. The attacker then triggers a Cato Client package update or installation and, in a tight race window, atomically swaps a symlink in the installation path to point to a root-owned file or directory before the PrivilegedHelperTool completes its privileged write. …
Remediation Upgrade Cato Client to version 5.13.1 or later immediately; this is the vendor-confirmed patched release, documented in the Cato Networks advisory at https://support.catonetworks.com/hc/en-us/articles/37284626576413. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy