{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24068", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "state": "PUBLISHED", "assignerShortName": "SEC-VLab", "dateReserved": "2026-01-21T11:29:19.853Z", "datePublished": "2026-03-26T10:55:54.603Z", "dateUpdated": "2026-03-26T13:51:53.385Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-03-26T10:55:54.603Z"}, "title": "Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "Vienna Symphonic Library GmbH", "product": "Vienna Assistant", "platforms": ["MacOS"], "versions": [{"status": "affected", "version": "1.2.542"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.\u00a0This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.\u00a0No validation is performed in the functions \"writeReceiptFile\" and \u201crunUninstaller\u201d of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.&nbsp;<span>This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.&nbsp;</span><span>No validation is performed in the functions \"writeReceiptFile\" and \u201crunUninstaller\u201d of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.</span></p>"}]}], "references": [{"url": "https://r.sec-consult.com/vsl", "tags": ["third-party-advisory"]}], "solutions": [{"lang": "en", "value": "The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.</p>"}]}], "credits": [{"lang": "en", "value": "Florian Haselsteiner, SEC Consult Vulnerability Lab", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:51:15.411589Z", "id": "CVE-2026-24068", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:51:53.385Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24068", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T13:51:15.411589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:50:04.333Z"}}], "cna": {"title": "Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Florian Haselsteiner, SEC Consult Vulnerability Lab"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "affected": [{"vendor": "Vienna Symphonic Library GmbH", "product": "Vienna Assistant", "versions": [{"status": "affected", "version": "1.2.542"}], "platforms": ["MacOS"], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.", "supportingMedia": [{"type": "text/html", "value": "<p>The vendor was unresponsive and did not respond to any of our communication attempts. Therefore, a patch is not available. In case you are using this product, please approach the vendor and demand a fix.</p>", "base64": false}]}], "references": [{"url": "https://r.sec-consult.com/vsl", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.\u00a0This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.\u00a0No validation is performed in the functions \"writeReceiptFile\" and \u201crunUninstaller\u201d of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.", "supportingMedia": [{"type": "text/html", "value": "<p>The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.&nbsp;<span>This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.&nbsp;</span><span>No validation is performed in the functions \"writeReceiptFile\" and \u201crunUninstaller\u201d of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.</span></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing authentication for critical function"}]}], "providerMetadata": {"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "shortName": "SEC-VLab", "dateUpdated": "2026-03-26T10:55:54.603Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24068", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:51:53.385Z", "dateReserved": "2026-01-21T11:29:19.853Z", "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf", "datePublished": "2026-03-26T10:55:54.603Z", "assignerShortName": "SEC-VLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all.\u00a0This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol.\u00a0No validation is performed in the functions \"writeReceiptFile\" and \u201crunUninstaller\u201d of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation."}], "id": "CVE-2026-24068", "lastModified": "2026-03-26T15:16:32.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T11:16:20.097", "references": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "url": "https://r.sec-consult.com/vsl"}], "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T12:21:00.908808+00:00", "value": {"mitigation_remediation": ["Immediately contact Vienna Symphonic Library and demand that they release a fix or apply a patch as soon as one becomes available", "If a patch is not forthcoming, uninstall or disable Vienna Assistant so the privileged helper is no longer active", "Restrict the use of the vulnerable helper by monitoring the /Library/PrivilegedHelperTools or equivalent for unexplained executions", "Enable macOS log auditing and alert on any unexpected write or execute actions originating from Vienna Assistant", "Consider applying a local firewall or App Sandbox restrictions to limit the processes that can communicate with the XPC service"], "summary": {"action": "Contact Vendor", "impact": "Privilege Escalation via unvalidated XPC service"}, "threat_synthesis": {"affected_systems": "The issue affects Vienna Symphonic Library GmbH\u2019s Vienna Assistant product for macOS. No specific version numbers are listed, so all available releases MAY be susceptible.", "description_and_impact": "The Vienna Assistant for macOS uses the NSXPC framework to expose a privileged helper but never validates clients in the shouldAcceptNewConnection method. Any process can therefore connect to the helper and invoke its API, including the writeReceiptFile and runUninstaller functions. Because these functions have no further checks, an attacker can write arbitrary files anywhere on the system and execute commands with the helper\u2019s elevated privileges. This flaw directly leads to privilege escalation and full control over the operating system.", "risk_and_exploitability": "The vulnerability is exploitable locally from any running process; no network access is required. The CVSS score is not provided, and the EPSS score is unavailable, so the exact severity cannot be quantified here. The flaw is not listed in the CISA KEV catalog. Because an attacker can execute arbitrary code with privileged rights, the risk is high for any user running the vulnerable application."}}}}, "created": "2026-03-26T13:54:52.785557+00:00", "updated": "2026-03-26T13:54:52.785578+00:00", "vendors": []}