CVE-2025-69604
BaseFortify
Publication date: 2026-01-29
Last updated on: 2026-02-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shirt-pocket | superduper! | to 3.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Shirt Pocket's SuperDuper! versions 3.11 and earlier allows a local attacker to modify the default task template to install an arbitrary package. This package can run shell scripts with root privileges and Full Disk Access, effectively bypassing macOS privacy controls. The issue arises because the installer package feature, originally intended for OS updates on backup copies, could be exploited to gain unauthorized root access. In version 3.12, the developers removed the installer package installation option entirely to eliminate this risk. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local attacker to gain root privileges and Full Disk Access on the affected system by installing a malicious package that runs shell scripts. This means the attacker can execute arbitrary code with the highest system privileges, potentially leading to full system compromise, unauthorized data access, and bypassing of macOS privacy protections. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if you are running SuperDuper version 3.11 or earlier. Additionally, look for any unexpected package installation steps in the "What's going to happen?" section of the application. If you see an installer package being installed, this may indicate exploitation attempts. There are no specific commands provided, but reviewing the Advanced tab of Options for the installer package installation option and monitoring for unexpected package installations is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediately upgrade SuperDuper to version 3.12 or later, which removes the installer package installation option entirely to eliminate the risk. If upgrading is not immediately possible, disable the installer package installation option in the Advanced tab of Options to prevent arbitrary package installation and potential root access. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.