EUVD-2026-16160CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.
Analysis
Vienna Assistant 1.2.542 on macOS allows local privilege escalation through an unauthenticated XPC service endpoint that accepts connections from any process. The vulnerable VSL privileged helper service exposes functions to write arbitrary files to any location and execute arbitrary binaries with any arguments, enabling a low-privileged local user to gain root access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all macOS systems running Vienna Assistant 1.2.542 and assess whether the application is actively used in your environment. Within 7 days: If the application is business-critical, evaluate isolation options such as restricting local user access or disabling the VSL privileged helper service through configuration management. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today