CVE-2025-57489

HIGH

SuperDuper! - Privilege Escalation via SDAgent setuid Binary

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-57489. PoCs published by graypixel2121.

AI-analyzed exploit summary This PoC exploits a privilege escalation vulnerability in SuperDuper! v3.10 by leveraging the setuid SDAgent component, which improperly handles shell commands without verifying the requesting application. The exploit uses a named pipe to inject arbitrary commands, achieving root execution.

Description

Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary.

Exploits (1)

nomisec WORKING POC
by graypixel2121 · poc
https://github.com/graypixel2121/CVE-2025-57489

This PoC exploits a privilege escalation vulnerability in SuperDuper! v3.10 by leveraging the setuid SDAgent component, which improperly handles shell commands without verifying the requesting application. The exploit uses a named pipe to inject arbitrary commands, achieving root execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Shirt Pocket SuperDuper! v3.10
No auth needed
Prerequisites: SuperDuper! v3.10 installed · SDAgent setuid binary present · Lock in SuperDuper unlocked
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.0030
EPSS Percentile 21.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-284
Status published
Products (1)
shirt-pocket/superduper\! 3.10
Published Dec 01, 2025
Tracked Since Feb 18, 2026