CVE-2015-1130

HIGH KEV

Apple OS X Rootpipe Privilege Escalation

Title source: metasploit

Exploitation Summary

CVE-2015-1130 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 10, 2022. EIP tracks 5 public exploits from researchers including Metasploit, Emil Kvarnhammar, sideeffect42, including a Metasploit module exploits/osx/local/rootpipe.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-1130, a privilege escalation vulnerability in Mac OS X's Admin framework (dubbed 'Rootpipe'). It leverages a hidden backdoor API to escalate from an admin user to root by executing a Python-based exploit and a reverse shell payload.

Description

The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.

Exploits (5)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalosx

https://www.exploit-db.com/exploits/36745

View Code ZIP pw:eip

This Metasploit module exploits CVE-2015-1130, a privilege escalation vulnerability in Mac OS X's Admin framework (dubbed 'Rootpipe'). It leverages a hidden backdoor API to escalate from an admin user to root by executing a Python-based exploit and a reverse shell payload.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Mac OS X 10.9-10.10.2

Auth required

Prerequisites: Admin user access on the target system · Python installed on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Emil Kvarnhammar · pythonlocalosx

https://www.exploit-db.com/exploits/36692

View Code ZIP pw:eip

This exploit leverages the rootpipe vulnerability (CVE-2015-1130) to escalate privileges on macOS by abusing the Admin or SystemAdministration framework to create a file with root permissions. It works by authenticating with a nil authorization reference and then writing a binary to a specified destination path with elevated permissions.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: macOS (tested on 10.7.5, 10.8.2, 10.9.5, 10.10.2)

No auth needed

Prerequisites: Local access to the target macOS system · Python environment with PyObjC installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 18 stars

by sideeffect42 · local

https://github.com/sideeffect42/RootPipeTester

View Code ZIP pw:eip

This repository contains a README file describing RootPipe Tester, a tool to test for CVE-2015-1130 and CVE-2015-3673 vulnerabilities on macOS. It provides detailed instructions and mitigation steps for various macOS versions.

Classification

Writeup 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: macOS (various versions)

No auth needed

Prerequisites: Access to a macOS system · RootPipe Tester application

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by Shmoopi · local

https://github.com/Shmoopi/RootPipe-Demo

View Code ZIP pw:eip

This is a Proof-of-Concept Mac Application demonstrating the RootPipe Privilege Escalation Vulnerability (CVE-2015-1130). It allows escalating file permissions by copying a file to a specified path with elevated permissions and optional owner/group settings.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Mac OS X 10.9 - Mac OS X 10.10.2

No auth needed

Prerequisites: Access to a vulnerable Mac OS X system (10.9 - 10.10.2)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by Emil Kvarnhammar, joev, wvu · rubypocosx

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/rootpipe.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2015-1130, a hidden backdoor API in Apple's Admin framework on Mac OS X, to escalate privileges from an admin user to root. It writes a Python exploit and a binary payload to a writable directory, then executes them to achieve privilege escalation.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Apple OS X 10.9 to 10.10.2

Auth required

Prerequisites: Admin user access · Writable directory · Python executable

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT204659

Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/73982

Broken Link vdb-entry x_refsource_osvdb

http://www.osvdb.org/120418

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/36692/

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032048

Mailing List, Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1130

Scores

CVSS v3 7.8

EPSS 0.0989

EPSS Percentile 94.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-02-10

VulnCheck KEV 2022-02-10

InTheWild.io 2022-02-10

ENISA EUVD EUVD-2015-1273

CWE

CWE-59

Status published

Products (1)

apple/mac_os_x < 10.10.3

Published Apr 10, 2015

KEV Added Feb 10, 2022

Tracked Since Feb 18, 2026