CVE-2025-43472: Diving into MacOS Privilege Escalation with PackageKit

Morris Richman
19 hours ago
3 min read

This summer as I was thinking about what my goals were and what I wanted to do, one thing kept coming up: More CyberSecurity, so that is exactly what I did. For those concerned, that isn't the only thing I did. I also spent plenty of time with friends and family. I took a roadtrip with my dad in July and we went white water rafting. It was a total blast. Plus, I worked on Radiance and created Container-Compose as a tool for Apple's new tool container.

But I definitely did quite a bit of cybersecurity research. As a part of this, I decided that I wanted to learn more about the inner workings of macOS and learn from previous exploits. Some of my favorite reads have been Mickey Jin's Blog, Mykola Grymalyuk's Blog, and various talks given at ObjectiveByTheSea over the years.

The Original Vulnerability

While reading these various medias, one thing that caught my attention was Mykola's writeup on CVE-2024-27822, which is a privilege escalation vulnerability he disclosed in macOS' PackageKit, an internal framework used for Installer.app. I wont go into all of the details here, but you should absolutely give his writeup a read. It is fantastic.

The basic way it works is by leveraging an oversight in the invocation of zsh in pre-install scripts. If a .pkg file was set to run as administrator and the pre-install script was invoked via zsh, the macOS installer would execute the user's .zshenv file (a shell configuration file) as root. This meant that any unsandboxed app could modify this file and then would gain root privileges when the user installed a .pkg file that met the conditions.

Discovering the New Vulnerability

I noticed while reading this that one of the other standard configuration file for zsh, .zprofile, was never mentioned. I spent some time playing around with Mykola's proof of concept (POC) that he had posted and realized that .zprofile was still exposed to the same fundamental issue. Except there was one caveat: the pre-install script had to invoke zsh as a login session, the only general time .zprofile is run.

Keeping that caveat in mind, I made a working POC and submitted it to Apple on June 20th 2025. To my luck they accepted the report with without needing anything else from me. Less than 5 months later, they patched the bug in macOS 26.1, 15.7.2, and 14.8.2 with the CVE 2025-43472.

Closing Thoughts

Unfortunately, I doubt this is the last time we will see this type of bug. The idea of hijacking a program executing a user's configuration file with escalated privileges is not new and another bug in Installer is likely bound to be found. Maybe you the reader will be the next one to find a bug like this in Installer.app?

Either way, if you have not updated your mac, please do so. I am not the only researcher to have found a privilege escalation vulnerability in macOS 26 and below. Plus, those other vulnerabilities likely have less requirements to work than this one.

If you would like to learn more about this bug, I highly suggest reading Mykola's writeup. You can also download the POC for this vulnerability here.