Turning Off the Guards Without a Password
Endpoint security on macOS rests on an assumption that an attacker without administrator rights cannot disable the agents watching the machine. XM Cyber has shown that assumption is wrong. In research disclosed on June 24 and 25, researcher Hillel Pinto demonstrated a technique that allows a standard, unprivileged user to silently switch off EDR and MDM tooling, with no admin credentials and no kernel-level exploit required. The chain has already produced one assigned identifier, CVE-2026-39118, against the Kandji MDM agent, and the same approach was demonstrated against CrowdStrike Falcon and at least one other unnamed vendor.
For enterprise defenders, this is a foundational problem rather than a single bug. Most macOS security strategy assumes the EDR sensor is a reliable last line of defense, faithfully reporting and blocking even when a user account is compromised. If a low-privilege attacker can quietly remove that sensor before doing anything noisy, every downstream detection assumption collapses. The agent's own absence becomes the first stage of the attack, and the security team may never see the events that would have triggered an alert. A control that can be switched off by the very user it is meant to constrain is not a control you can build a defense around without compensating telemetry.
How the XPC Trick Works
The technique abuses XPC, the inter-process communication mechanism that macOS apps use to talk to their privileged helper components. According to XM Cyber, the flaw lies in weak XPC validation: a privileged helper trusts a connecting process based on signing checks that can be subverted. By tampering with a legitimate signed application, an attacker can make their malicious code inherit that app's trusted status and then call privileged helper functions without proper authentication, including the functions that disable or uninstall the security tool. The privileged helper believes it is talking to the application that installed it, when in fact it is talking to an impostor wearing that application's signature.
The broader research chains several macOS behaviors together, including manipulation of NIB interface files and abuse of the kernel's code-signing trust cache, to make a tampered binary appear legitimate. None of these steps requires breaking Apple's cryptography outright. They exploit the gap between what the operating system verifies and what a privileged helper assumes it has verified. Pinto plans to release an open-source discovery tool called XPC Hunter that automates finding exploitable XPC privilege-escalation surfaces across installed applications, with a full presentation planned for Black Hat USA in August. That release will almost certainly surface a long tail of additional vulnerable apps beyond the three already named.
Who Patched and Who Did Not
The vendor responses split along predictable lines. Kandji moved quickly, patching its MDM agent and accepting CVE-2026-39118, with all versions prior to 4.7.5(5374) listed as vulnerable. CrowdStrike acknowledged the issue, paid a bug bounty, and added detection and prevention capabilities across supported macOS sensor versions. A CrowdStrike spokesperson framed it as a platform problem, saying the technique exploits a macOS issue and that the company has detections and preventions in place for the Falcon sensor. That is a reasonable position, but it also concedes the root cause is not theirs to fully fix, which is the uncomfortable heart of this disclosure.
The harder story is Apple's. Per the research, Apple does not plan to remediate the underlying macOS design issue, leaving mitigation to third-party vendors. That stance puts every EDR and MDM provider in the awkward position of defending against an abuse of the platform's own trust model, application by application. It also means the technique is likely to remain viable against any security tool that has not specifically hardened its XPC services, long after the headline products have shipped fixes. Enterprises cannot assume the platform will close this door, which shifts the burden of validation onto buyers who must now ask vendors pointed questions about XPC hardening.
Why This Hits the Enterprise Hard
macOS has quietly become a first-class enterprise platform, especially among engineering and executive populations, and the security stack defending those machines is exactly what this technique neutralizes. An attacker who lands on a Mac through phishing or a malicious package no longer needs to win a privilege-escalation race against a hardened sensor. They can potentially disable the sensor first and operate in the dark. For high-value targets, that inverts the usual detection model that EDR vendors sell, and it does so without any of the loud, kernel-level activity that mature monitoring is tuned to catch.
There is a silver lining in the current threat picture: there is no evidence of widespread exploitation in the wild yet, and the most prominent affected products have shipped mitigations or detections. But the combination of a vendor-by-vendor fix model and Apple declining to address the root cause means this is a long-tail risk that will outlive the news cycle. Security teams should confirm their macOS agents are on patched versions, inventory which other XPC-using security tools they depend on, watch for unexpected stops or uninstalls of EDR and MDM services, and treat agent tampering as a high-severity event rather than a routine endpoint hiccup.
The Detection Blind Spot
The cruel irony of an EDR-disabling technique is that the tool meant to detect it is the tool being disabled. That makes external telemetry essential. MDM heartbeats, server-side check-in monitoring and SIEM rules that fire when an endpoint goes silent are the controls most likely to catch this, because they do not depend on the on-device agent staying alive. An endpoint that stops reporting should be treated as suspicious by default, not assumed to be offline, and that single change in operating posture closes much of the gap this technique opens.
Strategically, CVE-2026-39118 is a prompt to stop treating endpoint agents as tamper-proof anchors. Defense in depth on macOS now has to assume the local sensor can be neutralized by a determined, low-privilege attacker. That means network-layer detection, identity-based controls and rapid response to agent absence all carry more weight than they did a week ago. XPC Hunter will likely surface many more vulnerable applications when it ships at Black Hat, so the prudent move is to harden now, demand XPC validation details from security vendors, and build alerting around silent endpoints rather than waiting for the August reveal to find out how wide the exposure runs.
