- Microsoft finds a macOS security bug that could allow threat actors to withdraw Apple Intelligence sensitive data
- “SPLOITLIGHT” revolves around the spotlight plugins
- It has been corrected in MacOS Sequoia 15.4, so users should update now
Microsoft revealed the details of a vulnerability of security in MacOS which allowed threat actors to steal information sensitive to the tool after Apple Intelligence.
In a blog article, Microsoft said he found a bug that bypass the transparency, consent and control (TCC) mechanisms found on macOS devices. TCC is a security and confidentiality framework that restricts access to sensitive user data and system functionalities.
The bug, followed like CVE-2025-31199, could allow hackers to access files in the download folder, as well as caches used by Apple Intelligence. Microsoft has nicknamed the “Splieitlight” vulnerability because it abuses spotlight plugins, but says it is more dangerous than previous TCC bypass such as HM-SURF or POWERDIR.
“Serious implications”
“The implications of this vulnerability are more serious because of its ability to extract and disclose sensitive information cache by Apple Intelligence, such as precise geolocation data, photo and video metadata, facial recognition and people, research history and user preferences, and even more,” said Microsoft.
“These risks are still complicated and hung by the remote liaison capacity between iCloud accounts, which means that an attacker with access to the macos device of a user could also use the vulnerability to determine the distant information of other devices linked to the same iCloud account.”
Spotlight plugins are used to index the files for macOS search. Despite these enrollment plugins in a sand environment, they always have privileged access to scanned files, which means that attackers can modify plugin metadata to target specific file types.
By saving the content of the files during indexing, attackers can exfiltrate data without the need for TCC authorizations.
Apple said corrected the flaw in March 2025, through fixes for MacOS Sequoia 15.4. On NVD, the patch is described as offering an “writing of improved data”. Microsoft said that the defender for the final point now detects “suspect” installations.
Via Bleeping Compompute
