CVE-2025-69604

HIGH

SuperDuper! < 3.12 - Unauthenticated Arbitrary Package Installation via Default Task Template

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-69604. PoCs published by graypixel2121.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-69604, which leverages SuperDuper's insecure task template to install arbitrary packages with root privileges and full disk access. The exploit modifies the default settings template to execute a malicious package during backup operations.

Description

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls.

Exploits (1)

nomisec WORKING POC
by graypixel2121 · poc
https://github.com/graypixel2121/CVE-2025-69604

This repository contains a functional exploit for CVE-2025-69604, which leverages SuperDuper's insecure task template to install arbitrary packages with root privileges and full disk access. The exploit modifies the default settings template to execute a malicious package during backup operations.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: SuperDuper! < 3.12
No auth needed
Prerequisites: Local access to the target system · SuperDuper! installed and configured with default settings
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.0010
EPSS Percentile 1.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-276
Status published
Products (1)
shirt-pocket/superduper\! < 3.12
Published Jan 29, 2026
Tracked Since Feb 18, 2026