Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (symantec).
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
CleanWipe Removal Tool (macOS), prior to 16.0.0.65, may be susceptible to an Local Privilege Escalation vulnerability, which is a type of issue whereby an attacker with limited privilege access on an affected system can escalate their privileges to gain administrative control.
AnalysisAI
Local privilege escalation in Broadcom's Symantec Endpoint Protection CleanWipe Removal Tool for macOS, versions prior to 16.0.0.65, allows a local attacker to gain administrative control of the affected system. The vulnerability is rooted in CWE-250 (Execution with Unnecessary Privileges), a class where a process operates with more permissions than its function requires, creating an elevation pathway. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog; however, the full confidentiality, integrity, and availability impact on the vulnerable component (VC:H/VI:H/VA:H) underscores the severity of a successful exploitation.
Technical ContextAI
CleanWipe is a standalone removal utility distributed by Broadcom under the Symantec Endpoint Protection product line, designed to forcibly uninstall Symantec security agents from macOS endpoints. The affected CPE is cpe:2.3:a:broadcom:symantec_endpoint_protection_cleanwipe_removal_tool:*:*:*:*:*:*:*:* for all versions prior to 16.0.0.65. CWE-250 (Execution with Unnecessary Privileges) indicates the tool runs with elevated OS privileges beyond what its core removal function requires, and that elevated execution context can be abused by a local attacker to redirect or hijack the privileged operation. This is a well-known antipattern in security software removers on macOS, where tools often require and obtain root-level access to fully uninstall kernel extensions or system-level agents. The CVSS 4.0 vector (AV:L/AT:P/PR:H/UI:A) further indicates that exploitation requires specific preconditions to be in place (AT:P = Attack Requirements: Present), active user interaction, and high privileges on the part of the initiating principal - pointing to a scenario such as abuse during an administrator-initiated removal session.
RemediationAI
The primary remediation is to upgrade Symantec Endpoint Protection CleanWipe Removal Tool to version 16.0.0.65 or later, as specified in the Broadcom security advisory at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37625. Organizations should obtain the updated tool from the Broadcom support portal and replace any locally cached or pre-staged copies of the CleanWipe installer. As a compensating control where immediate upgrade is not feasible, restrict use of CleanWipe to trusted, monitored administrator sessions and avoid running the tool in environments with potentially hostile local users. Additionally, enforce macOS endpoint controls (e.g., Endpoint Security Framework policies, MDM restrictions) to limit which user accounts can launch privileged removal utilities. These controls reduce the available exploitation window but do not eliminate the underlying vulnerability - patching to 16.0.0.65 remains the definitive fix.
Same weakness CWE-250 – Execution with Unnecessary Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36107
GHSA-wvc3-cw33-5mqh