Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.
AnalysisAI
Vienna Assistant 1.2.542 on macOS allows local privilege escalation through an unauthenticated XPC service endpoint that accepts connections from any process. The vulnerable VSL privileged helper service exposes functions to write arbitrary files to any location and execute arbitrary binaries with any arguments, enabling a low-privileged local user to gain root access. A proof-of-concept exploit exists per SSVC assessment, with an EPSS score of 0.02% indicating low observed exploitation probability in the wild.
Technical ContextAI
This vulnerability exploits macOS's NSXPC inter-process communication framework, specifically the shouldAcceptNewConnection delegate method used to validate XPC client connections. CWE-306 (Missing Authentication for Critical Function) occurs because the VSL privileged helper tool's XPC listener does not implement any client validation logic, allowing arbitrary processes to bind to the service and invoke privileged operations. The HelperToolProtocol exposes writeReceiptFile and runUninstaller functions that execute with elevated privileges inherited from the helper tool without performing authorization checks on the calling process, violating Apple's secure XPC service design guidelines. Vienna Assistant 1.2.542 is confirmed affected per EUVD-2026-16160 reporting.
RemediationAI
Users should monitor the SEC Consult advisory at https://r.sec-consult.com/vsl for vendor patch releases addressing this XPC validation issue. Until a patched version is available, mitigate risk by restricting local user access to systems running Vienna Assistant 1.2.542, removing the application from multi-user or untrusted environments, and implementing endpoint detection rules monitoring for unauthorized XPC connections to the VSL helper service. Organizations should audit systems for Vienna Assistant installations and consider temporary removal if the software is not business-critical. The underlying fix requires implementing proper XPC client validation in shouldAcceptNewConnection using code signing or entitlement checks, and adding per-function authorization in writeReceiptFile and runUninstaller methods.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16160