EUVD-2026-20540
GHSA-rphv-h674-5hp2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
## Summary The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. ## CWE - **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - **CWE-94**: Improper Control of Generation of Code ('Code Injection') ## Impact - Local privilege escalation to root: Any unprivileged local user on a managed endpoint can execute arbitrary commands as root ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).
Analysis
Local privilege escalation to root in Fleet Orbit agent (macOS) allows authenticated local users to inject arbitrary Tcl commands via malformed FileVault password input. The vulnerability stems from unsafe interpolation of user-supplied passwords into expect scripts executed as root. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all macOS endpoints running Fleet Orbit agent and document current versions in your asset inventory. Within 7 days: Implement access restrictions limiting local user account creation and interactive login on endpoints running Fleet Orbit; restrict FileVault password modification operations to administrative approval workflows. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today