Researchers Disclose macOS Flaw Allowing Standard Users to Disable EDR and MDM

A macOS endpoint-protection bypass with defender posture-review implications. XM Cyber researchers showed that a standard, non-admin user can silently unload EDR and MDM agents on macOS, abusing legitimate XPC behavior rather than a single patchable bug.

Share
Flat white line-art of a laptop showing a shield on screen beside a large toggle switch, on a Raspberry background — macOS EDR and MDM standard-user disable research.

Key Takeaways

  • Researchers at XM Cyber disclosed a macOS technique that lets a standard, non-administrative user silently unload or permanently deactivate enterprise endpoint security agents — including EDR and MDM tooling — without administrator credentials, a kernel exploit, or any user-facing alert.
  • The chain abuses legitimate macOS behavior rather than a single software bug, leaning on weak validation in privileged XPC services and the persistence of the kernel's code-signing trust cache; it was demonstrated against CrowdStrike Falcon, the Kandji MDM agent (tracked as CVE-2026-39118), and a third, unnamed EDR vendor.
  • Apple has indicated it does not plan to remediate the underlying design behavior, leaving mitigation to third-party vendors — making this a defender posture-review story: organizations managing macOS endpoints should verify agent versions, tamper-protection settings, and whether disabled agents would be noticed.

A macOS endpoint-protection bypass with defender posture-review implications.

TEL AVIV — Researchers at XM Cyber in late June 2026 disclosed a macOS technique that allows a standard, non-administrative user account to silently disable or permanently deactivate enterprise endpoint security tooling — including endpoint detection and response (EDR) and mobile device management (MDM) agents — without administrator credentials, a kernel-level exploit, or any alert to the user. The work, led by senior security researcher Hillel Pinto, was demonstrated against CrowdStrike Falcon and the Kandji MDM agent, with a third enterprise EDR vendor also affected and not yet named at disclosure.

The disclosure is best read as a research finding and a defender posture-review prompt rather than an active-exploitation event: there is no report of in-the-wild abuse, and the affected vendors moved quickly to ship fixes or detections. What makes it notable is the framing. XM Cyber characterizes the chain as an abuse of legitimate macOS behavior rather than a single patchable bug, which puts the burden of mitigation on the security agents themselves and on the teams that deploy them — a different shape of problem from a routine vulnerability advisory.

At a Glance
FieldDetails
CVECVE-2026-39118 (assigned by Kandji for its MDM agent)
PlatformmacOS — privileged XPC services and code-signing trust cache
ImpactStandard, non-admin user can silently unload or deactivate EDR/MDM agents
Affected versionsNot specified (chain abuses macOS design behavior, not a fixed build)
Patch statusKandji and CrowdStrike fixed; third EDR vendor patching
Apple responseDoes not plan to remediate underlying design; mitigation left to vendors
DisclosedJune 2026 (XM Cyber; researcher Hillel Pinto)

What the Research Disclosed

The XM Cyber research describes a chain that lets an attacker operating as a standard, non-administrative user reach privileged functionality normally reserved for trusted system components. The mechanism centers on Apple's cross-process communication (XPC) framework — the service many macOS applications use to talk to their own privileged background processes. According to the firm, the affected agents expose privileged XPC services that validate callers using Apple's CDHash, a cryptographic identifier intended to confirm that the calling code is an authentic, signed component of the application.

The novelty in the disclosure, as XM Cyber tells it, is how that trust check is defeated. The researchers describe abusing the persistence of the kernel's code-signing trust cache after a legitimately signed application has executed, then injecting a payload that impersonates a trusted component and invokes privileged XPC methods. Because the technique leans on how macOS itself handles signing and inter-process trust, XM Cyber frames it as an abuse of legitimate platform behavior rather than a conventional memory-safety flaw — there is no single buffer overflow or injection point to patch out of existence.

The practical outcome demonstrated is the part defenders care about. XM Cyber said it used the technique to completely unload the CrowdStrike Falcon sensor from a standard user account — neutralizing its detection, network visibility, and process-monitoring capabilities — and, in a two-stage variant, to permanently deactivate the Kandji MDM agent. A third enterprise EDR vendor was also successfully targeted and was working on a fix at the time of disclosure. Crucially, the firm reported that none of this required administrator rights, a kernel exploit, or an alert that would tip off the user or the security team.

Defender Posture for Organizations Managing macOS Endpoints

For organizations that manage fleets of Macs, the most useful way to absorb this disclosure is as a posture-review trigger rather than an emergency patch cycle. The threat model it describes is one many macOS environments quietly assume away: that a standard, non-privileged user on a managed laptop cannot meaningfully interfere with the EDR or MDM agent watching that laptop. The research shows that assumption is not safe by default, and that the silent nature of the technique means a disabled agent might not announce itself.

The first concrete step is inventory and version verification. Teams should confirm which EDR and MDM products are deployed across their macOS estate, whether those products are on builds that include the vendors' fixes or added detections, and whether tamper-protection features — where the vendor offers them — are actually enabled rather than merely available. This is ordinary patch-management hygiene applied to the security tier itself, and it is exactly the kind of verification that tends to lag on endpoint agents because they are assumed to be self-maintaining.

The second step is detection of the absence. A technique whose whole point is to silently remove the watcher is best countered by monitoring that does not depend on the watcher staying up. Practically, that means confirming whether the management plane — the MDM console, the EDR cloud, or a separate inventory system — would notice and alert when an agent stops checking in, goes silent, or is unloaded on a managed device. Defenders should treat an endpoint that has quietly fallen out of contact as a signal worth investigating, not a routine gap to be reconciled at the next sync.

Verification Across EDR and MDM Product Lines

Because the disclosure names specific products, it is tempting to scope the response narrowly to CrowdStrike and Kandji. The research itself argues against that. XM Cyber's position is that the underlying technique is a class of weakness affecting macOS applications that expose privileged XPC services and rely on CDHash-style validation — not a defect unique to two vendors. The two demonstrated targets and the third, unnamed one are best read as proof points for a broader pattern, which is why the firm built tooling to look for the same weakness elsewhere.

That tooling is itself part of the story. XM Cyber developed an open-source utility, called XPC Hunter, that scans installed macOS applications for the same exploitable XPC pattern, and the firm has said it plans to release the tool at Black Hat Arsenal in Las Vegas in early August. For defenders, the takeaway is that the population of potentially affected software is not limited to the named agents: any privileged macOS helper that trusts callers on the basis of code-signing identity could, in principle, be in scope, and the means to enumerate that exposure will be public.

The verification work, then, extends beyond confirming a single patched build. Organizations should ask each EDR and MDM vendor in their environment directly: does the agent expose privileged XPC services, how does it validate callers, and has the vendor reviewed its exposure to the technique XM Cyber described? Vendors that have already responded — CrowdStrike, which the firm said fixed the issue, paid a bounty, and added detection and prevention across supported macOS sensor versions, and Kandji, which patched its agent and assigned CVE-2026-39118 — provide a template for the questions worth asking of the rest.

Apple's Response and What to Watch For

The most consequential detail for the long-term posture is Apple's stance. According to reporting from Dark Reading on the disclosure, Apple does not plan to remediate the underlying macOS design behavior that the technique abuses, leaving mitigation to the third-party vendors whose agents are affected. That is a meaningful distinction from a typical platform vulnerability, where defenders can reasonably wait for an operating-system patch to close the door for everyone at once.

If Apple's position holds, the durable fix lives at the agent layer rather than the platform layer. That shifts responsibility onto EDR and MDM vendors to harden how their privileged XPC services authenticate callers, and onto the organizations that deploy those agents to keep them current and tamper-resistant. It also means the protection any given environment enjoys will depend on which security products it runs and how diligently those products are maintained — there is no single macOS update that resolves the issue across the board.

What to watch in the coming weeks is straightforward: vendor advisories from EDR and MDM providers acknowledging or addressing the XPC technique, the public release of XM Cyber's XPC Hunter tool and any expansion of the list of affected applications it surfaces, and whether Apple revises its position once the technique and tooling are fully public. For teams that also manage Windows and other endpoint platforms, the broader lesson is that tamper-resistance of the security agent itself belongs on the review checklist alongside the threats the agent is meant to catch.

Open Questions

Several points remain open at disclosure. The identity of the third affected EDR vendor was not public, so the full list of impacted products is not yet known; the macOS versions in scope were not specified in the reporting, consistent with the framing that this is a design behavior rather than a flaw tied to a particular build. There is no indication of in-the-wild exploitation, but the planned public release of scanning tooling raises the prospect that other vulnerable applications will be identified — a dynamic the industry has seen before when offensive macOS research moves from a single demonstration to a public utility.

It is also worth noting the single-source posture at the brief stage: the core account originates with XM Cyber's own research, relayed through trade reporting, with vendor confirmations from CrowdStrike and Kandji providing independent corroboration of the affected-product claims. The technical specifics of the chain should be read as the researchers' description until the full Black Hat presentation and any vendor write-ups are available. What is already actionable, however, does not depend on those open questions: organizations managing macOS endpoints can verify agent versions, confirm tamper-protection settings, and check whether a silently disabled agent would be noticed — steps worth taking regardless of how the remaining details resolve.


The CyberSignal Analysis

The reported facts above originate with XM Cyber's research and the vendors' confirmations; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.

Signal 01 — A 'Won't-Fix' Design Behavior Moves the Burden to Vendors and Config

The single most consequential line in this disclosure is not the technique but Apple's stance. As Dark Reading reported, Apple does not plan to remediate the underlying design behavior — which converts a research finding into a standing condition defenders have to live with. When a platform vendor declines to close the door, there is no operating-system update that resolves the issue across the estate at once, and the fix migrates from the platform layer down to each individual agent and its configuration.

Our reading is that this reshapes how teams should file the incident internally. It does not belong in the transient patch-and-forget queue; it belongs on the standing posture checklist, because the condition it describes persists until each EDR and MDM vendor independently hardens how its privileged services authenticate callers. The mitigation burden has been redistributed from Cupertino to the security-tooling market and to the teams that deploy it.

Signal 02 — Verify Your Own Stack Rather Than Wait for a Platform Fix

Because there is no coming operating-system patch to wait on, the actionable posture is verification of the specific products a given environment runs. As XM Cyber framed the work, the weakness is a class affecting agents that expose privileged XPC services and validate callers by code-signing identity — not a defect confined to the two named vendors. That means the response cannot be scoped narrowly to the products that made headlines; it has to be a direct question put to every agent in the stack.

The concrete version of this is unglamorous but decisive: confirm which EDR and MDM builds are deployed, whether they carry the vendors' fixes or added detections, and whether tamper-protection is actually enabled rather than merely available. Our assessment is that the environments most exposed here are the ones that assume their security agents are self-maintaining — the assumption that lets a security-tier build drift quietly out of date while the rest of the fleet is patched on schedule.

Signal 03 — The Standard-User-Versus-Admin Assumption Gap Is the Real Lesson

The design many macOS environments quietly rely on is that a standard, non-privileged user on a managed laptop cannot meaningfully interfere with the agent watching that laptop. This disclosure's durable contribution is showing that this assumption is not safe by default — the boundary between an ordinary user and the security tier is thinner than the org chart implies, and the technique's silence means a disabled agent may not announce its own absence.

The forward-looking control that follows is detection of the absence rather than trust in the agent's continued presence. Our view is that defenders should confirm the management plane would notice and alert when an agent stops checking in, goes silent, or is unloaded on a managed device — and should treat an endpoint that has quietly fallen out of contact as an event to investigate, not a routine gap to reconcile at the next sync. Monitoring that depends on the watcher staying up is exactly the monitoring this technique is built to defeat.


Sources

TypeSource
PrimaryXM Cyber — macOS XPC endpoint-security research (Hillel Pinto)
ReportingDark Reading — Apple's macOS Security Gap Lets Users Disable Security Tools
ReportingSecurityWeek — macOS Weaknesses Chained to Silently Disable Endpoint Security Agents
ReportingInfosecurity Magazine — macOS Flaw Lets Standard Users Disable EDR and MDM
RelatedThe CyberSignal — North Korean Hackers Use AppleScript and ClickFix on macOS
RelatedThe CyberSignal — Jinx-0164 macOS Crypto-Developer Recruitment Lures