CVE-2020-9934

MEDIUM KEV

iPadOS < 13.6 - Unprotected User Data Exposure via Environment Variable Handling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-9934 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 8, 2022. EIP tracks 3 public exploits from researchers including mattshockl, X1cT34m, mattshockl, timwr, including a Metasploit module post/osx/escalate/tccbypass.

AI-analyzed exploit summary This repository contains a Swift-based Proof of Concept for CVE-2020-9934, which exploits a vulnerability in macOS's Transparency, Consent, and Control (TCC) framework to bypass privacy protections. The PoC grants itself and Terminal full kTCCService entitlements, allowing unauthorized file operations in TCC-protected directories.

Description

An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.

Exploits (3)

nomisec WORKING POC 23 stars
by mattshockl · local
https://github.com/mattshockl/CVE-2020-9934

This repository contains a Swift-based Proof of Concept for CVE-2020-9934, which exploits a vulnerability in macOS's Transparency, Consent, and Control (TCC) framework to bypass privacy protections. The PoC grants itself and Terminal full kTCCService entitlements, allowing unauthorized file operations in TCC-protected directories.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: macOS TCC Framework (versions affected by CVE-2020-9934)
No auth needed
Prerequisites: macOS system vulnerable to CVE-2020-9934 · Local execution context
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 4 stars
by X1cT34m · cpoc
https://github.com/X1cT34m/CVE-and-PoC/tree/main/2020/CVE-2020-9934

This PoC is a Swift program that exploits CVE-2020-9934 to bypass macOS TCC (Transparency, Consent, and Control) protections by granting itself and Terminal full kTCCService entitlements, enabling unauthorized file operations in TCC-protected directories.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: macOS TCC Framework (versions affected by CVE-2020-9934)
No auth needed
Prerequisites: macOS system vulnerable to CVE-2020-9934 · ability to execute Swift code on the target system
devstral-2 · analyzed Feb 27, 2026 Full analysis →
metasploit WORKING POC
by mattshockl, timwr · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/escalate/tccbypass.rb

This Metasploit module exploits CVE-2020-9934 by manipulating the TCC daemon on macOS Catalina (<= 10.15.5) to grant unauthorized TCC entitlements. It creates a fake TCC database by setting the HOME environment variable and injecting SQL entries to bypass privacy protections.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: macOS Catalina (10.15.0 - 10.15.5)
No auth needed
Prerequisites: writable directory on target system · local shell or meterpreter session
devstral-2 · analyzed Apr 22, 2026 Full analysis →

References (3)

Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211289
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT211288

Scores

CVSS v3 5.5
EPSS 0.0210
EPSS Percentile 84.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2022-09-08
VulnCheck KEV 2022-07-19
InTheWild.io 2022-07-17
ENISA EUVD EUVD-2020-30713
Status published
Products (3)
apple/ipados < 13.6
apple/iphone_os < 13.6
apple/mac_os_x < 10.15.6
Published Oct 16, 2020
KEV Added Sep 08, 2022
Tracked Since Feb 18, 2026