CVE-2025-13733
Insecure XPC Service in BuhoNTFS 1.3.2 Enables Privilege Escalation
Publication date: 2025-12-12
Last updated on: 2025-12-18
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| buho | buho_ntfs | 1.3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in BuhoNTFS version 1.3.2 and involves an insecure XPC service that allows local users without privileges to escalate their privileges to root by exploiting insecure functions.
How can this vulnerability impact me? :
An attacker with local access and limited privileges can exploit this vulnerability to gain root-level access, potentially allowing them to fully control the affected system and perform unauthorized actions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the vulnerable BuhoNTFS version 1.3.2 is installed and if the privileged helper tool `com.drbuho.disktool.NTFSHelperTool` is running. Since the issue involves an insecure XPC service that accepts all local connections without authentication, detection involves verifying the presence and status of this service. You can use macOS commands such as `launchctl list | grep com.drbuho.disktool.NTFSHelperTool` to check if the helper tool is loaded. Additionally, monitoring for unusual local connections to this XPC service or unexpected execution of root-level commands related to NTFS mounting or directory creation may indicate exploitation attempts. However, no specific detection commands or network signatures are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local access to systems running BuhoNTFS version 1.3.2, as the vulnerability requires local user access to exploit. Since there is currently no patch or fix available, users should limit who can log into affected machines and monitor for suspicious activity involving the `com.drbuho.disktool.NTFSHelperTool` service. Avoid running untrusted code or scripts on these systems. Users should also consider uninstalling or disabling BuhoNTFS 1.3.2 until a vendor patch is released. Being cautious with local user privileges and access control is critical to reduce risk. [1]