CVE-2025-69604 in SuperDuper
Summary
by MITRE • 01/29/2026
An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/14/2026
The vulnerability identified as CVE-2025-69604 resides within Shirt Pocket's SuperDuper! software version 3.11 and earlier, presenting a critical security risk that enables local attackers to escalate privileges and circumvent macOS privacy protections. This flaw specifically targets the application's handling of default task templates, creating an avenue for malicious modification that can result in arbitrary code execution with elevated privileges. The vulnerability represents a significant weakness in the software's security architecture and demonstrates poor input validation practices that allow unauthorized modification of system components.
The technical flaw manifests through the manipulation of default task templates within SuperDuper! which are designed to execute shell scripts with root privileges. When an attacker successfully modifies these templates, they can inject malicious code that leverages the application's legitimate privilege escalation mechanisms to gain Full Disk Access. This exploitation pathway directly violates macOS security models by bypassing the privacy controls that normally restrict applications from accessing system resources without explicit user consent. The vulnerability operates at the intersection of privilege escalation and access control bypass, making it particularly dangerous as it can be exploited without requiring additional user interaction beyond initial installation or modification of the affected software.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise through unauthorized access to all disk content. Attackers can leverage the installed packages to execute shell scripts with root privileges, effectively granting them complete control over the affected system. This capability enables data exfiltration, persistence mechanisms, and further exploitation of other system components. The bypass of macOS privacy controls means that attackers can access sensitive user data, system configurations, and other protected resources without triggering the usual security warnings or user prompts that would normally alert administrators to suspicious activity. This vulnerability undermines the fundamental security model of macOS by allowing malicious code to operate with elevated privileges while remaining undetected by standard security monitoring tools.
Mitigation strategies for CVE-2025-69604 should prioritize immediate software updates to versions that address the template modification vulnerability and implement proper input validation. Organizations should conduct comprehensive security assessments of all systems running SuperDuper! 3.11 or earlier, particularly focusing on monitoring for unauthorized modifications to system task templates. System administrators should review existing task templates for signs of malicious modification and implement additional security controls such as file integrity monitoring and privilege separation. The vulnerability aligns with CWE-749 and CWE-276 categories related to dangerous functions and improper privileges, while also mapping to ATT&CK techniques involving privilege escalation and persistence through legitimate system tools. Regular security audits should include verification of application integrity and monitoring for unauthorized modifications to system-level configurations that could enable similar exploitation patterns.