CVE-2020-9839

HIGH

macOS cfprefsd Arbitrary File Write Local Privilege Escalation

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-9839. Includes Metasploit module exploits/osx/local/cfprefsd_race_condition.

AI-analyzed exploit summary This Metasploit module exploits a race condition in cfprefsd (CVE-2020-9839) to overwrite /etc/pam.d/login, allowing passwordless root login via the `login root` command. It includes payload delivery and cleanup mechanisms.

Description

A race condition was addressed with improved state handling. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5. An application may be able to gain elevated privileges.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypocosx

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/cfprefsd_race_condition.rb

View Code ZIP pw:eip

This Metasploit module exploits a race condition in cfprefsd (CVE-2020-9839) to overwrite /etc/pam.d/login, allowing passwordless root login via the `login root` command. It includes payload delivery and cleanup mechanisms.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: macOS <= 10.15.4

No auth needed

Prerequisites: Unsandboxed process access · Write permissions in a temporary directory

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_misc

https://support.apple.com/HT211168

Vendor Advisory x_refsource_misc

https://support.apple.com/HT211170

Vendor Advisory x_refsource_misc

https://support.apple.com/HT211171

Vendor Advisory x_refsource_misc

https://support.apple.com/HT211175

Scores

CVSS v3 7.0

EPSS 0.0367

EPSS Percentile 88.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-362

Status published

Products (5)

apple/ipados < 13.5

apple/iphone_os < 13.5

apple/mac_os_x < 10.15.5

apple/tvos < 13.4.5

apple/watchos < 6.2.5

Published Jun 09, 2020

Tracked Since Feb 18, 2026