A critical macOS vulnerability that enables attackers to steal sensitive private data normally protected by Apple’s Transparency, Consent, and Control (TCC) framework.
The vulnerability, dubbed “Sploitlight,” exploits Spotlight plugins to access protected files including those in the Downloads folder and Apple Intelligence caches containing highly sensitive user information.
The vulnerability leverages macOS Spotlight importers – plugins that help index files for search functionality.
These plugins, stored as .mdimporter bundles, possess privileged access to sensitive files for indexing purposes, but Microsoft researchers discovered they can be manipulated to exfiltrate file contents despite heavy sandbox restrictions.
The attack method involves several steps that don’t require legitimate TCC permissions. Attackers can modify a plugin’s configuration files to target specific file types, install the unsigned bundle in the user’s Spotlight directory, and force the system to use the malicious plugin.
The mdworker task, which runs with elevated privileges to process files for indexing, unknowingly leaks sensitive data through system logs.
“Due to the privileged access that Spotlight plugins have to sensitive files for indexing purposes, Apple imposes heavy restrictions on them via its Sandbox capabilities,” Microsoft explained.
However, researchers found these restrictions insufficient, as attackers can log file contents in chunks to bypass limitations.
macOS Vulnerability
The vulnerability’s impact extends beyond typical file access, threatening data cached by Apple Intelligence on ARM-based Mac devices.
Apple Intelligence stores sensitive information in various directories, including detailed databases under the Pictures folder that contain extensive user metadata.
Attackers exploiting Sploitlight could extract precise GPS coordinates, timestamps, device information, face recognition data, photo albums, search histories, and user preferences from Photos.sqlite and related databases.
The threat extends to classification data, object detection results, and even information about deleted photos that remain in metadata.
Particularly concerning is the cross-device implications through iCloud account linking. An attacker accessing one macOS device could potentially determine information about other devices connected to the same iCloud account, including iPhones, since face tagging and metadata propagate across the ecosystem.
Security Implications
Microsoft responsibly disclosed the vulnerability to Apple through Coordinated Vulnerability Disclosure protocols.
Apple addressed the issue by releasing security updates for macOS Sequoia on March 31, 2025, assigning it CVE-2025-31199.
The company encourages all macOS users to apply these critical security updates immediately.
Microsoft has integrated detection capabilities into Defender for Endpoint to identify suspicious .mdimporter bundle installations and unusual indexing of sensitive directories.
The company emphasizes this vulnerability’s severity compared to previous TCC bypasses like “HM-Surf” and “powerdir” due to its ability to access Apple Intelligence data.
“The implications of this vulnerability are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence,” Microsoft stated.
The discovery highlights the ongoing need for vigilant security research and collaboration between technology companies to protect user privacy across platforms.
This vulnerability underscores the evolving threat landscape facing macOS users and the importance of maintaining updated security patches to protect sensitive personal data from unauthorized access.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
 framework.){kind=link}