CVE-2025-11921
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-24

Assigner: Fluid Attacks

Description
iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-24
Generated
2026-06-16
AI Q&A
2025-11-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11921
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fluidattacks istats 7.10.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11921 is a critical local privilege escalation vulnerability in iStat Menus version 7.10.4. It arises from an insecure XPC service in the iStat Menus daemon that accepts commands without authentication or authorization. The daemon takes user-supplied input from JSON and directly concatenates it into shell commands without validation or sanitization, leading to command injection. An attacker can inject shell metacharacters to execute arbitrary commands with root privileges. For example, by sending a specially crafted JSON command, an attacker can execute malicious commands as root on the affected system. [1]

Impact Analysis

This vulnerability allows a local, unprivileged user to escalate their privileges to root by injecting arbitrary commands into the iStat Menus daemon's XPC service. This means an attacker with local access can execute any command with root privileges, potentially compromising the entire system. The attacker could manipulate system power management settings, control fan speeds, toggle Wi-Fi, or perform other privileged operations, leading to system compromise, data theft, or physical damage. [1]

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable iStat Menus daemon (com.bjango.istatmenus.daemon) version 7.10.4 running on the system. Since the issue involves an insecure XPC service accepting unauthenticated commands, you can attempt to connect locally to the XPC service and send a test command to see if it accepts input without authentication. A practical detection method is to verify the iStat Menus version installed and check for the presence of the vulnerable service. Specific commands to check the version and running processes include: - Check iStat Menus version: defaults read /Applications/iStat\ Menus.app/Contents/Info.plist CFBundleShortVersionString - Check if the daemon is running: ps aux | grep com.bjango.istatmenus.daemon - Attempt to connect to the XPC service and send a benign command (requires scripting knowledge, e.g., using Objective-C or a tool that can interact with NSXPCConnection) to test if it accepts commands without authentication. Direct command injection tests should only be performed in a controlled environment due to security risks. [1]

Mitigation Strategies

The immediate mitigation step is to update iStat Menus to a fixed version that patches this vulnerability. The vendor released a patched version 7.20 shortly after disclosure. Updating to version 7.20 or later will close the insecure XPC service and prevent local privilege escalation via command injection. Until the update is applied, restrict local user access to the affected system and monitor for suspicious activity related to the iStat Menus daemon. Avoid running untrusted local processes that could exploit this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart