CVE-2025-11921
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-11-24
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluidattacks | istats | 7.10.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11921 is a critical local privilege escalation vulnerability in iStat Menus version 7.10.4. It arises from an insecure XPC service in the iStat Menus daemon that accepts commands without authentication or authorization. The daemon takes user-supplied input from JSON and directly concatenates it into shell commands without validation or sanitization, leading to command injection. An attacker can inject shell metacharacters to execute arbitrary commands with root privileges. For example, by sending a specially crafted JSON command, an attacker can execute malicious commands as root on the affected system. [1]
How can this vulnerability impact me? :
This vulnerability allows a local, unprivileged user to escalate their privileges to root by injecting arbitrary commands into the iStat Menus daemon's XPC service. This means an attacker with local access can execute any command with root privileges, potentially compromising the entire system. The attacker could manipulate system power management settings, control fan speeds, toggle Wi-Fi, or perform other privileged operations, leading to system compromise, data theft, or physical damage. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable iStat Menus daemon (com.bjango.istatmenus.daemon) version 7.10.4 running on the system. Since the issue involves an insecure XPC service accepting unauthenticated commands, you can attempt to connect locally to the XPC service and send a test command to see if it accepts input without authentication. A practical detection method is to verify the iStat Menus version installed and check for the presence of the vulnerable service. Specific commands to check the version and running processes include: - Check iStat Menus version: defaults read /Applications/iStat\ Menus.app/Contents/Info.plist CFBundleShortVersionString - Check if the daemon is running: ps aux | grep com.bjango.istatmenus.daemon - Attempt to connect to the XPC service and send a benign command (requires scripting knowledge, e.g., using Objective-C or a tool that can interact with NSXPCConnection) to test if it accepts commands without authentication. Direct command injection tests should only be performed in a controlled environment due to security risks. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update iStat Menus to a fixed version that patches this vulnerability. The vendor released a patched version 7.20 shortly after disclosure. Updating to version 7.20 or later will close the insecure XPC service and prevent local privilege escalation via command injection. Until the update is applied, restrict local user access to the affected system and monitor for suspicious activity related to the iStat Menus daemon. Avoid running untrusted local processes that could exploit this vulnerability. [1]