Apple recently patched a critical vulnerability in macOS that allowed malicious actors to bypass the system's privacy controls, known as TCC (Transparency, Consent, and Control), and access highly sensitive user data. Among the exposed information was even cached content related to Apple Intelligence.
The vulnerability, identified as CVE-2025-31199 and dubbed "SPloitLight" by Microsoft researchers, exploited the behavior of the Spotlight plugin to evade macOS's privacy restrictions. By doing so, it became possible to collect detailed user data without requiring visible permissions.
Apple addressed the issue in March 2025 with the release of macOS Sequoia 15.4, incorporating a key improvement in how data is redacted (i.e., hidden or protected) during system indexing. According to Apple, this was a "data redaction improvement" aimed at closing the loophole SPloitLight used to bypass system defenses.
How Did Hackers Exploit Spotlight to Access Data on macOS?
In macOS, the TCC (Transparency, Consent, and Control) system acts as a security layer that prevents apps from freely accessing personal data such as your location, photos, calendar, or contacts. To access that data, apps must request your permission—at least in theory.
However, a team of Microsoft researchers (Jonathan Bar Or, Alexia Wilson, and Christine Fossaceca) found a way to circumvent that control. They discovered that certain Spotlight plugins could be manipulated to execute code with elevated privileges. This allowed malicious apps to bypass TCC protections and access files normally restricted to applications with full disk access.
According to Microsoft, while this attack resembles previous bypasses like HM-Surf and powerdir, SPloitLight poses an even greater risk. Why? Because it can not only bypass local privacy controls but also extract cached data from Apple Intelligence and even remote information from devices connected to iCloud.
In other words, what seemed like a technical and limited vulnerability actually translated into uncontrolled access to highly sensitive data, both local and cloud-based.
What Could Attackers Steal with the SPloitLight Vulnerability?
The scope of this macOS flaw is far from minor. If an attacker managed to exploit it, they could access a large amount of private information without the user ever noticing. The types of data that could be stolen include:
-
The user's precise location
-
Photo and video metadata (such as where and when they were taken)
-
Facial recognition data and information about people detected in images
-
Photo albums and shared libraries
-
Search history and personalized settings
-
Deleted photos and videos that may still be cached
-
Remote data linked to iCloud accounts and associated devices
Although Apple described the issue as a mere “logging problem,” Microsoft went further and demonstrated that the bug actually allowed unauthorized code execution and access to critical system components. In other words, it was privileged access disguised as a routine system operation.
Exploitation of SPloitLight (Source: Microsoft)
What’s most concerning about the SPloitLight vulnerability is that it didn’t require the user to do anything at all. Since Spotlight is a core system service, attackers could exploit this flaw without any user interaction, using modified plugins that took advantage of Spotlight’s default elevated privileges.
Even worse, Apple’s privacy framework, TCC (Transparency, Consent, and Control), didn’t even detect the access. That means no alerts, no notifications, and no clear logs. It was a completely silent intrusion.
Read more: New Koske Malware on Linux Hides in Panda Images
A History of Vulnerabilities in macOS
This isn’t the first time breaches have been discovered in macOS defenses. Microsoft had previously reported similar flaws that allowed attackers to bypass or compromise the TCC system and other security layers. Here are some of the most notable:
-
CVE-2020-9771 – TCC bypass using Time Machine mounts
-
CVE-2021-30713 – Logic vulnerability in package verification
-
CVE-2021-30970 (powerdir) – Injection of fake configurations into the TCC database
-
CVE-2023-32369 (migraine) – System Integrity Protection (SIP) bypass for rootkit installation
-
CVE-2024-44243 – Driver injection through third-party kernel extensions
Each of these flaws demonstrated that, despite macOS's robust architecture, its security layers can still be vulnerable to well-crafted attacks.
Microsoft’s Warning: The Risk Goes Beyond the Device
Microsoft didn’t stop at documenting the technical issue. The company also issued a clear warning: these vulnerabilities don’t just affect the compromised device—they could also expose data from other devices linked to the same iCloud account.
“These risks are amplified by the possibility of remote access to data tied to iCloud accounts,” the researchers explained. “An attacker could obtain partial information from all devices connected to the same Apple ID".
In other words, compromising a single Mac could become the entry point to your entire Apple device network.
Read more: Microsoft Will End Support for Windows 11 22H2 in October 2025
Apple Responds: Silent Patch and Security Recommendations
Apple quietly addressed the issue in March 2025 with the release of macOS Sequoia 15.4. The patch included improvements to the system’s data redaction mechanisms and imposed new restrictions on the behavior of Spotlight plugins.
Although Apple didn’t make much noise about the update, the recommendation for users and organizations is clear:
What Should You Do if You Use macOS?
-
Update immediately to macOS Sequoia 15.4 or later
-
Audit third-party software that integrates with Spotlight
-
Monitor unusual plugin behavior, especially those running in the background
-
Use System Integrity Logs to detect suspicious or abnormal access
These measures are especially critical in enterprise environments, where a single point of entry can expose entire networks.
Conclusion: SPloitLight Is a Wake-Up Call
The SPloitLight case shows that even the most closed and secure systems, like macOS, are not immune to serious architectural flaws. What’s most concerning is that these attacks can go completely unnoticed by users and traditional security solutions.
Updating the operating system and adopting a proactive security posture is no longer optional—it’s a necessity. Organizations must stay up to date with patches, scrutinize the software they rely on, and make full use of Apple’s logging and monitoring tools.