Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client's signing certificate and does not verify that the certificate chains to a trusted code-signing authority. A local attacker can sign a malicious client with a self-signed certificate containing the expected organizational unit value and connect to the privileged XPC service. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation.
AnalysisAI
Local privilege escalation in Slate Digital Connect 1.37.0 for macOS allows unprivileged users to execute commands as root by connecting to the privileged XPC helper service with a self-signed certificate whose subject OU matches the expected value. The flaw stems from improper certificate validation (CWE-296) in the helper's client authorization logic, which fails to verify the certificate chains to a trusted code-signing authority. No public exploit is identified in CISA KEV at time of analysis, and EPSS reflects very low (0.01%) near-term exploitation probability, but a detailed vendor-lab advisory is publicly available.
Technical ContextAI
Slate Digital Connect is an audio plugin authentication/licensing client for macOS used by the Slate Digital plugin ecosystem. The product installs a privileged helper tool (com.slatedigital.connect.privileged.helper.tool) under macOS's SMJobBless / privileged helper model, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2 to perform actions requiring root. macOS best practice for XPC client authorization requires verifying the connecting peer's code signature using SecCodeCheckValidity / SecRequirement-based requirements (anchor apple generic, certificate leaf TeamID, designated requirement) so that only binaries signed by the expected developer can communicate with the helper. This vulnerability is a classic CWE-296 (Improper Following of a Certificate's Chain of Trust) - the helper inspects only the subject.OU attribute of the client certificate without anchoring the chain to Apple's code-signing CA, so any self-signed certificate carrying the right OU string is accepted as legitimate.
RemediationAI
No vendor-released patch version is identified in the provided data at time of analysis, so administrators should monitor Slate Digital's official channels and the SEC Consult advisory at https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-in-slate-digital-connect/ for a fixed release superseding 1.37.0 and upgrade as soon as one ships. As compensating controls on macOS endpoints running version 1.37.0, uninstall Slate Digital Connect on systems where it is not actively required (this disables Slate Digital plugin authorization until reinstalled), or remove the privileged helper by unloading and deleting /Library/PrivilegedHelperTools/com.slatedigital.connect.privileged.helper.tool and its associated LaunchDaemon plist (this breaks any Connect functionality that depends on root privileges such as license/driver installation). Where the helper must remain installed, restrict the workstation to trusted interactive users only and tighten endpoint controls - for example MDM-enforced Gatekeeper, EDR rules blocking unsigned or non-Slate binaries from initiating XPC connections to com.slatedigital.connect.privileged.helper.tool2, and monitoring for new launchd connections to that mach service - accepting that these reduce but do not eliminate the local escalation path.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36002
GHSA-7rrm-228m-fjwh