CVE-2017-13872

HIGH

Apple <macOS High Sierra - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2017-13872. PoCs published by Metasploit, Lemiorhan, giovannidispoto, including Metasploit module auxiliary/scanner/vnc/ard_root_pw.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-13872, a privilege escalation vulnerability in macOS High Sierra 10.13.1, allowing any user to gain root access by leaving the password empty. It writes a payload to a temporary file, makes it executable, and executes it with root privileges using osascript.

Description

An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalmacos
https://www.exploit-db.com/exploits/43201

This Metasploit module exploits CVE-2017-13872, a privilege escalation vulnerability in macOS High Sierra 10.13.1, allowing any user to gain root access by leaving the password empty. It writes a payload to a temporary file, makes it executable, and executes it with root privileges using osascript.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: macOS High Sierra 10.13.1
No auth needed
Prerequisites: Local access to a vulnerable macOS High Sierra 10.13.1 system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Lemiorhan · localmacos
https://www.exploit-db.com/exploits/43248

This is a writeup describing CVE-2017-13872, a critical authentication bypass vulnerability in macOS High Sierra. The issue allows any user to log in as 'root' with an empty password after repeated login attempts. The document includes mitigation steps, detection methods, and references to advisory sources.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: macOS High Sierra
No auth needed
Prerequisites: Physical or local access to a macOS High Sierra system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by giovannidispoto · poc
https://github.com/giovannidispoto/CVE-2017-13872-Patch

This repository claims to patch CVE-2017-13872 but only contains a simple C program that unlocks the root account using 'sudo passwd -u root'. It does not address the actual vulnerability (a buffer overflow in the Broadcom Wi-Fi driver).

Classification
Stub 80%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Linux systems with sudo access
Auth required
Prerequisites: sudo privileges · compiled binary execution
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vnc/ard_root_pw.rb

This Metasploit module exploits CVE-2017-13872 to enable and set the root account password on unpatched macOS High Sierra systems with Screen Sharing or Remote Management enabled. It uses VNC authentication to test and set the root password.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: macOS High Sierra (unpatched)
No auth needed
Prerequisites: Screen Sharing or Remote Management enabled · VNC service accessible on port 5900
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by chethan177, lemiorhan, timwr · rubypocosx
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/root_no_password.rb

This Metasploit module exploits CVE-2017-13872, a privilege escalation vulnerability in macOS High Sierra 10.13.1, allowing any user to gain root access by logging in as 'root' with an empty password. It writes a payload to a temporary file, makes it executable, and executes it with root privileges using AppleScript.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: macOS High Sierra 10.13.1
No auth needed
Prerequisites: Access to a vulnerable macOS High Sierra 10.13.1 system · Local user session
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://objective-see.com/blog/blog_0x24.html
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208331
Vendor Advisory x_refsource_misc
https://support.apple.com/HT208315
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039875
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43201/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43248/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101981
Press/Media Coverage, Third Party Advisory x_refsource_misc
https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/

Scores

CVSS v3 8.1
EPSS 0.3689
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287
Status published
Products (3)
apple/mac_os_x 10.13.0
apple/mac_os_x 10.13.1
n/a/macOS High Sierra macOS High Sierra
Published Nov 29, 2017
Tracked Since Feb 18, 2026