iBoysoft NTFS for Mac CVE-2026-2637
HIGHSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
iBoysoft NTFS for Mac contains a local privilege escalation vulnerability in its privileged helper daemon ntfshelperd. The daemon exposes an NSConnection service that runs as root without implementing any authentication or authorization checks.
This issue affects iBoysoft NTFS: 8.0.0.
AnalysisAI
Local privilege escalation in iBoysoft NTFS for Mac 8.0.0 allows authenticated macOS users to gain root access through the ntfshelperd privileged helper daemon. The daemon exposes an unauthenticated NSConnection service running as root, enabling any local user with standard privileges to communicate directly with the root-level service and execute privileged operations. EPSS probability is very low (0.02%, 6th percentile) with no confirmed active exploitation or public POC at time of analysis, suggesting limited real-world targeting despite high technical severity.
Technical ContextAI
iBoysoft NTFS for Mac is a commercial macOS utility that enables read-write access to NTFS-formatted drives on Apple systems. The vulnerability resides in the ntfshelperd privileged helper daemon, a background service that runs with root privileges to perform operations requiring elevated permissions. On macOS, privileged helper daemons commonly use NSConnection (an older Distributed Objects mechanism) or XPC services for inter-process communication between unprivileged user applications and root-level helpers. The root cause is CWE-732 (Incorrect Permission Assignment for Critical Resource): the daemon fails to implement authentication or authorization controls on the NSConnection interface, allowing any local process to connect and send arbitrary commands to the root-privileged service. This violates the principle of least privilege and macOS security best practices for privileged helper tools, which mandate explicit entitlement checks and caller verification before executing privileged operations.
RemediationAI
Check the vendor website at https://iboysoft.com/ntfs-for-mac/ for patched versions released after version 8.0.0 that address the ntfshelperd authentication bypass. As of analysis, no specific patch version number is confirmed in available data sources, so users must monitor vendor communications for update availability. If a patched version is available, upgrade immediately through the application's built-in update mechanism or by downloading from the official vendor site. If no patch is yet available, consider uninstalling iBoysoft NTFS for Mac if NTFS write support is not business-critical, as macOS natively supports NTFS read-only access. For environments requiring NTFS write capabilities, compensating controls include restricting local user accounts to only trusted administrators (eliminating standard user accounts that could exploit PR:L requirement), implementing endpoint detection and response (EDR) solutions to monitor suspicious IPC connections to privileged helper daemons, and using macOS system integrity features like System Integrity Protection (SIP) and FileVault to limit post-exploitation capabilities. Note that these mitigations reduce but do not eliminate risk, as a compromised standard user account can still escalate to root within the context of systems running the vulnerable software.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today