CVE-2023-42860

MEDIUM

macOS 12.0-12.7.0 - Unprotected User Data Exposure via Path Handling Issue

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-42860. PoCs published by Trigii.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-42860, a macOS vulnerability that allows bypassing System Integrity Protection (SIP) by manipulating symlinks during the installation process. The exploit uses a race condition to replace a SIP-protected file (e.g., TCC.db) with a symlink, effectively removing its restricted flag.

Description

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to modify protected parts of the file system.

Exploits (1)

nomisec WORKING POC 3 stars
by Trigii · poc
https://github.com/Trigii/CVE-2023-42860

This repository contains a functional exploit for CVE-2023-42860, a macOS vulnerability that allows bypassing System Integrity Protection (SIP) by manipulating symlinks during the installation process. The exploit uses a race condition to replace a SIP-protected file (e.g., TCC.db) with a symlink, effectively removing its restricted flag.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: macOS (versions before 13.3)
Auth required
Prerequisites: Root access · InstallAssistant.pkg for macOS Ventura · SIP-protected file target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 5.5
EPSS 0.0049
EPSS Percentile 38.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-863
Status published
Products (2)
apple/macos 14.0
apple/macos 12.0 - 12.7.1
Published Feb 21, 2024
Tracked Since Feb 18, 2026