CVE-2025-61229

HIGH

Shirt Pocket's SuperDuper! <3.10 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-61229. PoCs published by graypixel2121.

AI-analyzed exploit summary This PoC exploits CVE-2025-61229 by modifying SuperDuper!'s default task settings to execute an arbitrary preflight script with root privileges and Full Disk Access, bypassing macOS privacy controls. The script demonstrates the vulnerability by creating a script that lists files from the user's Desktop and saves them to a location requiring elevated permissions.

Description

An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls.

Exploits (1)

nomisec WORKING POC
by graypixel2121 · poc
https://github.com/graypixel2121/CVE-2025-61229

This PoC exploits CVE-2025-61229 by modifying SuperDuper!'s default task settings to execute an arbitrary preflight script with root privileges and Full Disk Access, bypassing macOS privacy controls. The script demonstrates the vulnerability by creating a script that lists files from the user's Desktop and saves them to a location requiring elevated permissions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: SuperDuper! 3.10 and earlier
Auth required
Prerequisites: Local access to a macOS system with SuperDuper! 3.10 or earlier installed · User must have write access to the SuperDuper! settings directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.0012
EPSS Percentile 2.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-284 CWE-276
Status published
Products (1)
shirt-pocket/superduper\! < 3.10
Published Dec 01, 2025
Tracked Since Feb 18, 2026