CVE-2025-69604

HIGH

Shirt-pocket Superduper! < 3.12 - Incorrect Default Permissions

Title source: rule

Description

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls.

Exploits (1)

nomisec WORKING POC

by graypixel2121 · poc

https://github.com/graypixel2121/CVE-2025-69604

View Code ZIP pw:eip

References (3)

[Broken Link] http://shirt.com

[Product] https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html

[Vendor Advisory] https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_v312_now_available

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 2.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-276

Status published

Affected Products (1)

shirt-pocket/superduper\! < 3.12

Timeline

Published Jan 29, 2026

Tracked Since Feb 18, 2026