CVE-2026-2637
Local Privilege Escalation in iBoysoft NTFS ntfshelperd Daemon
Publication date: 2026-03-03
Last updated on: 2026-04-27
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iboysoft | ntfs_for_mac | 8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges to root on a Mac system running iBoysoft NTFS for Mac 8.0.0.
By exploiting the lack of authentication and command injection flaw in the privileged helper daemon, an attacker can execute arbitrary commands with root privileges, potentially leading to full system compromise.
- Arbitrary command execution as root
- Creation or modification of files and directories with root permissions
- Complete control over the affected system
Can you explain this vulnerability to me?
CVE-2026-2637 is a local privilege escalation vulnerability in iBoysoft NTFS for Mac version 8.0.0. The issue lies in the privileged helper daemon called ntfshelperd, which runs as root and exposes an NSConnection service without any authentication or authorization checks.
Because the daemon runs as root and does not verify the identity or privileges of callers, any local unprivileged user can connect to this service and invoke privileged methods. This allows attackers to execute arbitrary commands as root, leading to full system compromise.
Specifically, the vulnerability involves command injection through the method mountAsNTFS:withKey:withMode:withFlag:, which constructs shell commands using user-controlled parameters without sanitization or proper quoting.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence and status of the privileged helper daemon named ntfshelperd running on the system.
Specifically, you can verify if the NSConnection Distributed Objects service named com.iboysoft.ntfsformac.serverhelper is exposed without authentication.
Suggested commands to detect the vulnerability include:
- Use `ps aux | grep ntfshelperd` to check if the ntfshelperd daemon is running.
- Use `launchctl list | grep ntfshelperd` to see if the daemon is loaded as a launch service.
- Use `lsof -p <pid_of_ntfshelperd>` to inspect open files and network connections of the daemon.
- Check for the NSConnection service by inspecting running services or using debugging tools to detect the exposed service named com.iboysoft.ntfsformac.serverhelper.
Additionally, verifying if the daemon runs as root and exposes privileged methods without authentication can be done by attempting to connect locally to the NSConnection service and invoking methods such as fixLicPermissions or mountAsNTFS:withKey:withMode:withFlag: (only in a controlled, safe environment).
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Stop and disable the ntfshelperd daemon to prevent exploitation of the privileged NSConnection service.
- Uninstall or update iBoysoft NTFS for Mac to a version that addresses this vulnerability, if available.
- Restrict local user access to the system to trusted users only, as the vulnerability requires local access.
- Monitor the system for any suspicious activity related to the ntfshelperd daemon or unexpected root-level command executions.
Since the vulnerability arises from the daemon running as root and exposing privileged methods without authentication, removing or disabling the vulnerable service is critical until a patch or update is applied.